Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The

ietf

Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The

2012-04-12 16:36:07

SM wrote:


In Section 8.1:

   "If it is less likely that a user will hear about its trusted DNSSEC
    validators being hacked that it is of a public CA being compromised"

I suggest using "compromised" instead of "hacked".


Similar to what John complains about, comparing trusted DNSSEC validators
to public CAs is comparing apples and oranges.

The equivalent of a trusted DNSSEC validator in the PKIX world would
be an SCVP server/service!

The compromise of the DNSSEC zone data for DANE is probably equivalent to
the compromise of an organizational CA signed by a public CA with
name constraints to that DNS zone.

The compromise of an unconstrained public CA in the PKIX world would
be equivalent to a compromise of the root DNSSEC zone data in the DANE world.


-Martin

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, (continued) Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, Ondřej Surý Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, John Gilmore Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, Ondřej Surý Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, Peter Palfrader Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, Ondřej Surý Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, ned+ietf Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based, Martin Rex Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based, ned+ietf Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, SM Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, Paul Wouters Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The, Martin Rex <=

Previous by Date:	Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, ned+ietf
Next by Date:	Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, SM
Previous by Thread:	Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard, Paul Wouters
Next by Thread:	Re: [savi] Last Call: <draft-ietf-savi-dhcp-12.txt> (SAVI Solution for DHCP) to Proposed Standard, eric levy-abegnoli
Indexes:	[Date] [Thread] [Top] [All Lists]