Re: [DNSOP] Practical issues deploying DNSSEC into the home.

On Sep 12, 2013, at 7:24 AM, Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:
> It is still a hierarchical model of trust.  So at the top, if you
> don't trust Verisign for the .COM domain and PIR for the .ORG domain
> (and for people who are worried about the NSA, both of these are US
> corporations), the whole system falls apart.

Its also a constrained path of trust, and you can actually chose who you trust.

E.g. your application could be constructed to look up both 
"{data}.dnssec-info-domain.com" and "{data}.dnssec-info-domain.ru".  Only if 
both use the same validated key is the key accepted.

That way, the trust becomes:

1:  The root is trusted

2:  The registrar for .com and .ru don't collaborate, since they must 
collaborate for the trust to affect the results.


This is a huge difference from SSL, which unless you pin your application to 
trust only a single CA, you end up having to trust the entire universe of 
certificate authorities.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver(_at_)icsi(_dot_)berkeley(_dot_)edu                full of sound and 
fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

signature.asc
Description: Message signed with OpenPGP using GPGMail