[dnssec-deployment] A gazillion new TLDs

[Edward Lewis]

At 16:20 +0100 6/27/08, Ben Laurie wrote:
>Edward Lewis wrote (the >> lines):

>Surely those goals are contradictory?

Exactly.

>>  If security limits scaling, something is wrong with the security.
>
>If you think security is without cost, something is wrong with you.

I didn't say anything about cost.

Security might be a bottleneck and in some cases the answer is to 
scale upwards the capacity of the security system.  But that isn't 
what I meant.

If you look at a state diagram of a system, there are safe states, 
unsafe states, and dangerous states.  You want to run in safe states, 
avoiding as much as possible the dangerous states, and stay 
completely out of unsafe states.

A security system's job is to allow all safe states to continue to be 
in play, cause all sorts of nuisances before a dangerous state is 
entered, and prevent entry to unsafe states. Sometimes a security 
architecture can fail to do it's job and prohibit safe states that 
are essential to scaling or allow unsafe states to be entered.

What I was thinking about when I wrote the line in question was the 
concern that "more TLDs will make it ever harder" for protection 
systems to tell anything from the TLD used.  In that case, it's not a 
problem of more TLDs but a problem of the heuristics used to decide 
if a transaction is fraudulent.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.