On Wed, Apr 09, 2014 at 04:15:53PM -0400, Steve Crocker wrote:
My own opinion is related but not identical. I agree solutions 1
and 3 are failures; 1 doesn’t provide the trust and 3 doesn’t scale.
Solution 2 is also problematic because the government tends to
overreach and there isn’t a single government.
DNSSEC provides a base platform to build upon. It doesn’t claim to
provide the level of trust the CA system tried to provide. That’s a
key strength, not a weakness.
DNSSEC basically has the same properties as the "race to the bottom
certifying authorities" model, except it's a "race to the bottom of
the DNS registraries" --- and some cases, the same company runs both a
CA and a DNS registry. "Meet the new boss, same as the old boss"....
So if you're willing to disclaim the amount of trust that the CA
system purports to provide, it's really a question of "IPSEC" vs "TLS"
--- i.e., at which layer of the stack you are applying the protection.
Cheers,
- Ted