ietf
[Top] [All Lists]

Re: [saag] : DNSSEC PKI semantics and risks (was tangentially: Last Call: <draft-dukhovni-opportunistic-security-01.txt>)

2014-08-08 07:04:32
On Thu, Aug 7, 2014 at 2:02 PM, Paul Wouters <paul(_at_)nohats(_dot_)ca> wrote:
On Thu, 7 Aug 2014, Phillip Hallam-Baker wrote:

<trans wg cochair hat on>


The reason TRANS does not currently appear to be relevant to the
DNSSEC advocates is that they are simplifying the PKI problem to
exclude consideration of the entire class of attacks that TRANS is
designed to control.


We have had only very preliminairy TRANS DNSSEC discussion so far.

I am not aware of anything being excluded at this point. Some concerns
raised do relate to the sheer size of DNS and what to log and what not
to log to keep the log servers alive.

What do you believe has already been excluded from TRANS with respect to
DNSSEC by DNSSEC advocates?

That is not what I wrote.

What I was saying is that the need for TRANS is not going to be
understood by people who believe that the 500+ DNS registrars are all
trustworthy and that the mechanisms that the now 300+, soon to be
1,000s of registries deploy to ensure that keys are only introduced by
the authorized party will all work without any possibility of error or
attack.


TRANS is the way to deploy DNSSEC.

CAs will be doing CT, the Google has told us we will.

CAs have the infrastructure to walk people through deployment of
cryptographic apparatus.