[dnssec-deployment] meeting announcement: 18 June 2008

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Wed Jun 18 05:13:01 EDT 2008 

On Tue, Jun 17, 2008 at 11:37:21PM -0400, Sam Weiler wrote:
> On Tue, 10 Jun 2008, Mats.Dufberg at teliasonera.com wrote:
> 
> >A DLV [registry] for .COM domain names must be run by the .COM 
> >Registry, or we would never trust it. If Verisign sets a DLV 
> >[registry] up for .COM, we will take a look at it and asked them if 
> >they will be RFC 5011 compliant. If someone else runs a DLV 
> >[registry] for .COM they will never be able to keep the holder of 
> >the DNSsec key synchronized with the holder of the domain name. And 
> >we will never add that to our resolvers.
> 
> Do TeliaSonia and its users leave SSL certs for non-Verisign SSL CA's 
> installed in their web browsers?  If so, then why wouldn't it be 
> plausible for a third party (like one of those SSL CA's) to provide a 
> credible DNS TAR (whether delivered through DLV or otherwise) that 
> they would be willing to trust?

	I think the answer to this question is dependent on
	the credibility of the third party in question.  
	X509 CA's have independently verifiable criteria whereas
	a DNS TAR operator has no such criteria (that I can discern).
	
> There's certainly appeal to linking the DLV registry (or any TAR) 
> operation to the DNS zone registry, but we have working code for other 
> models that seems to satisfy most day-to-day needs.  It may not be the 
> most secure in the world, but it's secure enough that most people (and 
> most sites) don't disable any of the multitude of CA certs in their 
> web browsers.

	and we have working code for MITM attacks.  the problems w/ 
	"fire and forget" are legion. I'm persuaded that you and I
	are among those who vet their CA certs... :)

> 
> (As a pedantic terminology thing, I suggest using the phrase "DLV 
> registry".  I don't think anyone has ever defined "a DLV", nor does 
> that phrase make obvious sense given the expansion of the acronym 
> "DLV".)
> 
> -- Sam
> 
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: 
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list