ietf
[Top] [All Lists]

Re: [dane] PGP security models, was Summary of IETF LC for draft-ietf-dane-openpgpkey

2015-09-23 14:39:17
On Wed, Sep 23, 2015 at 8:55 AM, Philip Homburg 
<pch-ietf-2(_at_)u-1(_dot_)phicoh(_dot_)com>
wrote:


But for ordinary e-mail, if we can trust the CA system to protect websites,
why not trust DNSSEC to protect e-mail?


That isn't really the reason to be concerned.

What worries me is that DANE is one way to use DNSSEC to secure things.
DANE is not necessarily the best way to apply DNSSEC. DNSSEC is not
necessarily the best tool to approach this problem.

And we have the fact that the Snowden documents tell us that $250 million
is spent every year on the BULLRUN program to sabotage standards efforts to
produce strong crypto.


My #1 concern is that some of the folk behind this proposal have a long
history of sharp elbows. As soon as they get an IETF endorsement for their
scheme, they then use it to tell other people with other ideas that they
must stop working about them, stop talking about them because THE DECISION
HAS BEEN MADE.

It is total bullcrap of course. And most of us know not to get suckered in.
But that has been done to me repeatedly and I am sick of it. So I would
like any document to have a disclaimer at the top of every page saying that
this is only experimental and does not commit the IETF to one particular
approach.


OK so that said, about using DNSSEC. I don't think it is going to get
anywhere because most people don't have the required control over their DNS
to make this happen. that might change in the future but people have been
trying to put email addresses into DNS records since the first edition of
the spec and none of those schemes has been successful.

If you want a scheme that might be used by a few hundred thousand system
administrators, well it is better than nothing at all and might be
successful. But this is no solution to the problem of pervasive
surveillance and people need to be aware of that.
<Prev in Thread] Current Thread [Next in Thread>