On Wed, Aug 06, 2014 at 06:39:37PM -0400, John C Klensin wrote:
The other end is equally bad. DNSSEC protects the integrity of
data already stored in the DNS. But, if the proverbial Bad Guy
can compromise a domain name registrar and register a name that
is misleading or otherwise problematic, certificates tied to
that name may not be very useful, especially as assertions of
good and upright behavior associated with, e.g., mail traffic.
Whether DANE-type certificates that depend on DNSSEC and
registrar integrity are more of less trustworthy than PKI-type
certificates that depend on certificate chains,
low-assertion-quality certificates, and CA integrity is an
interesting question... but one that might easily be resolved by
a race to the bottom.
If folks want to continue this nuanced tangential discussion,
perhaps a separate thread on saag, or on Perry's cryptography list
would be more appropriate. I'm having a hard enough time keeping
track of all the on-topic LC mail.
I am Redirecting replies to saag only, and changing the subject.
With any luck I've also removed the "References:" header, thus
severing the new thread from the original.
[ For what it is worth, I for one, don't expect certificates to
warrant trustworthy or upright counterparty behaviour. I only
expect them to ensure channel integrity for my connection to
whichever deviant fraudster I've chosen to connect to. :-) Please
express any disagreement or agreement or disagreement with that
sentiment in another thread. Thanks. ]
--
Viktor.