You do not make problems disappear by declaring them out of scope.
Security systems are social systems. If you have not considered the
business and social issues you haven't got a system.
Security is about people, not protocols.
On Wed, Feb 24, 2010 at 2:30 PM, Shane Kerr <shane(_at_)isc(_dot_)org> wrote:
On Wed, 2010-02-24 at 10:00 -0500, Phillip Hallam-Baker wrote:
I took a look at DNSCurve. Some points:
* It could certainly win.
* It is designed as a hack rather than an extension.
* It considers real world requirements that DNSSEC does not.
On the 'winning' front. Have people noticed that the IETF has only
ever succeeded in developing security standards by appropriating
systems that had already defeated the IETF generated solution? PGP was
not developed in house, it was a reaction to PEM. SSL was developed by
Netscape. X.509 came from OSI.
DNSCurve and DNSSEC are orthogonal, and solve different - if related -
DNSSEC declares out of scope:
* the channel where DS records get added to the parent
* encryption (which I think DNSCurve provides)
DNSCurve declares out of scope:
* the channel where the magic NS records get added to the parent
* the channel where records get sent from the parent to the name
servers in the RRSET
* master or slave name server compromises
* off-line secret key handling
Depending on what you consider important, either technology may or may
not be what you want. You could, in principle, use both, and it actually
would provide different types of security.
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
Ietf mailing list