--On Monday, August 11, 2014 07:36 +1200 Brian E Carpenter
<brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com> wrote:
On 11/08/2014 06:18, Andrew Sullivan wrote:
On Sun, Aug 10, 2014 at 05:35:03PM -0000, John Levine wrote:
As far as I can tell, we don't have a good word to describe
what DNSSEC does.
Nonsense. "This data was not tampered with while in transit
from the authoritative server to you." That's what it does.
What people are pointing out is that this is no better, and no
worse, than the seal on a snake oil bottle proving that the
snake oil has not been tampered with since it left the factory.
Exactly.
Unfortunately, the average user can easily confuse that with an
assurance that the snake oil will cure your illness. There
isn't much we can do to change that.
We can be very careful about the statements and assertions we
make. And we can pay attention to how those statements are
likely to be interpreted and be even more cautious about those
that stretch things a bit. A seal that says "genuine,
factory-sealed, snake oil" is different from one that stays
"genuine curative for all ills, sealed at the factory by genuine
snakes". Similarly, there is a different between "genuine,
IETF-approved, snake oil bottle sealing system" and "genuine,
IETF-approved, snake oil sealed bottle". The latter two mean
the same thing if read carefully enough, but the final one is
very easily misinterpreted. I suggest we have some obligation
to try to avoid, and help others avoid, the second of each pair.
Those issues are, IMO, a great deal more sensitive when we move
beyond certification of the integrity (in the "same thing at
authoritative server and as received" sense) of DNS responses to
using that same set of DNS relationships to certify keys or
other material that are used for identity assurance in other
environments. Not because the issues are different (although
they are, a bit), but because "identity assurance" is popularly
interpreted as involving much stronger statements than "correct
response to DNS query".
john