Some, but not all censorship attempts may be justified.
For example, consider the case where you want to discourage users from
visiting known phishing sites or domains that have been registered for
botnet herders to regain control after a communications loss.
We probably don't want that type of filtering added into the ICANN
root, but it might well be the sort of thing that an enterprise might
want to implement for its internal network.
While that type of infrastructure makes a form of political censorship
somewhat more straightforward, it only enables a pretty weak form of
censorship that is easily evaded. In general, I think we should stop
worrying about enabling government censorship in security protocols.
If we care about stopping censorship we should build a protocol that
is designed from the ground up with the purpose of being censorship
proof. Such a protocol would probably use USB keys for transport
rather than the Internet or a mixture of Internet and USB. Worrying
about incremental possibilities is pointless, the enemy already has
far greater capabilities than people worry about.
On Sun, Jun 14, 2009 at 10:51 AM, Ralf Weber<rw(_at_)colt(_dot_)net> wrote:
Moin!
On 14.06.2009, at 10:35, Florian Weimer wrote:
In DNS, the vast majority of DNS resolvers are maintained by hosting
providers. Thus no true end-to-end service is possible.
Wrong. The majority of resolvers are maintained by Microsoft.
Microsoft could ship the KSK for the root to customer machines in a
security update. As it happens, in this case, the KSK wouldn't even
be the penultimate key, showing that the debate over who holds the KSK
is quite pointless. Now that we've got automatic software updates, we
don't even need a signed root.
Can you elaborate on that? Last time I checked most of the Windows OS I
know got there resolver IP from the DHCP server which either is the ISPs
resolver, or the address of the broadband gateway, which DNS proxies to
the ISPs resolver. I know how non recursive validating stub resolvers
should work, I just haven't seen them deployed widely. Even business
customers which is the majority of customers we have tend to use our
(the ISP) resolvers directly . That might be also the reason why
governments love to use them to block content ;-).
So long
-Ralf
---
Ralf Weber
Platform Infrastructure Manager
Colt Telecom GmbH
Herriotstrasse 4
60528 Frankfurt
Germany
DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780
Fax: +49 (0)69 56606 6280
Email: rw(_at_)colt(_dot_)net
http://www.colt.net/
Data | Voice | Managed Services
Schütze Deine Umwelt | Erst denken, dann drucken
*****************************************
COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschland * Tel
+49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 *
Geschäftsführer: Dr. Jürgen Hernichel (Vors.), Rita Thies * Amtsgericht
Frankfurt/Main HRB 46123 * USt.-IdNr. DE 197 498 400
--
--
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf