On Sep 11, 2013, at 12:38 PM, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com> wrote:
I disagree. DNSSEC is not just DNS: its the only available, deployed, and
(mostly) accessible global PKI currently in existence which also includes a
constrained path of trust which follows already established business
relationships.
Except that virtually nobody uses DNSSEC and most of the registrars don't
support it.
I strongly disagree:
I had an easier time registering my DNSSEC test domain's DS records with the
registrar than the nameservers themselves, using an obnoxious company that
sponsors a NASCAR driver and has obnoxious TV ads.
Comcast and Google Public DNS both validate DNSSEC on all requests.
A small minority of clients can't fetch DNSSEC records, but most actually can,
either through one of the recursive resolvers or over the Internet.
And then there is that other PKI that is actually used to support a trillion
odd dollars worth of global e-commerce per year.
Which the NSA is man-in-the-middling with abandon, in due to no-small-part the
lack of a constrained path of trust. Google has effectively given up on the
TLS PKI for their own use in Chrome: they hardcode the Google sub-CA.
--
Nicholas Weaver it is a tale, told by an idiot,
nweaver(_at_)icsi(_dot_)berkeley(_dot_)edu full of sound and
fury,
510-666-2903 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail