On Wed, Jan 2, 2013 at 9:46 AM, John Day <jeanjour(_at_)comcast(_dot_)net>
wrote:
**
Interesting as always.
But beyond the illegitimate concerns, there are some important legitimate
ones. In particular a country like France has to be concerned that if it
gets into a trade dispute with the US that the US administration can't
force it into submission by threatening to cut off its connection to the
Internet or any other essential communication technology.
This is not a theoretical consideration. The reason that there is no
central repository for RFID product identifiers is that the French
government decided that the proposals on the table would give the US the
ability to control the sale of French products by ordering the maintainer
of the registry not to publish them. That would effectively make it
impossible to sell them through the electronic supply chain. So they made
sure that the registry did not happen.
Then the RFID folks had written a lousy standard. It is pretty easy to
design a decentralized name space methodology, such that no one can control
the whole thing. Regulating to protect stupidity interferes with Darwin.
;-)
Which was my on-topic conclusion.
If IETF wants to avoid government level politics then we have to design the
technology in such a way that we eliminate or mitigate any control points.
The WebPKI has been successfully deployed precisely because it has
sufficient hierarchy to be scalable without establishing a single control
point like the PEM proposal.
I don't think we will see DNSSEC or BGPSEC being allowed to propagate
unless attention is paid to the legitimate interest of states to avoid
technology capture.
DNSSEC does not replace the WebPKI, nor does BGPSEC. But we need all three
security layers if we are going to achieve a comprehensive security
solution for the Internet. Each technology has a very specific purpose:
BGPSEC: Prevent/mitigate Denial of Service attacks through bogus route
advertisement
DNSSEC: Distribute security policy information tied to the Internet naming
system
WebPKI: Establish accountability of the parties at the Internet end points.
At the moment we have a broken system because DNSSEC is being sold as a
'free' replacement for WebPKI which is a losing proposition as (1) the cost
of deploying DNSSEC is many times the cost of buying a domain validated SSL
certificate (2) the real purpose of the WebPKI is to establish
accountability which requires a stronger credential than merely having
bought a DNS name.
--
Website: http://hallambaker.com/