In message <20140410141406(_dot_)GF15925(_at_)thunk(_dot_)org>, Theodore Ts'o
writes:
On Wed, Apr 09, 2014 at 04:15:53PM -0400, Steve Crocker wrote:
My own opinion is related but not identical. I agree solutions 1
and 3 are failures; 1 doesnâ??t provide the trust and 3 doesnâ??t scale.
Solution 2 is also problematic because the government tends to
overreach and there isnâ??t a single government.
DNSSEC provides a base platform to build upon. It doesnâ??t claim to
provide the level of trust the CA system tried to provide. Thatâ??s a
key strength, not a weakness.
DNSSEC basically has the same properties as the "race to the bottom
certifying authorities" model, except it's a "race to the bottom of
the DNS registraries" --- and some cases, the same company runs both a
CA and a DNS registry. "Meet the new boss, same as the old boss"....
No quite the same. A CA could issue a cert without any checking
for any domain. Here you need to be the registrar of record to add
records to the registry. Also a registry can only add records for
the namespace it manages not any arbitary name.
So to get a bad DS added you need to be a corrupt registry or a
corrupt employee of registry or you need to compromise the registrants
credentials or you need to succeed in transfering the zone to you.
The registry can provide some protection for some of these threats.
This is a smaller attack surface than the plain CA attack surface.
So if you're willing to disclaim the amount of trust that the CA
system purports to provide, it's really a question of "IPSEC" vs "TLS"
--- i.e., at which layer of the stack you are applying the protection.
Cheers,
- Ted
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org