[dnssec-deployment] A gazillion new TLDs
Ed.Lewis at neustar.biz
Fri Jun 27 11:58:32 EDT 2008
At 16:20 +0100 6/27/08, Ben Laurie wrote:
>Edward Lewis wrote (the >> lines):
>Surely those goals are contradictory?
>> If security limits scaling, something is wrong with the security.
>If you think security is without cost, something is wrong with you.
I didn't say anything about cost.
Security might be a bottleneck and in some cases the answer is to
scale upwards the capacity of the security system. But that isn't
what I meant.
If you look at a state diagram of a system, there are safe states,
unsafe states, and dangerous states. You want to run in safe states,
avoiding as much as possible the dangerous states, and stay
completely out of unsafe states.
A security system's job is to allow all safe states to continue to be
in play, cause all sorts of nuisances before a dangerous state is
entered, and prevent entry to unsafe states. Sometimes a security
architecture can fail to do it's job and prohibit safe states that
are essential to scaling or allow unsafe states to be entered.
What I was thinking about when I wrote the line in question was the
concern that "more TLDs will make it ever harder" for protection
systems to tell anything from the TLD used. In that case, it's not a
problem of more TLDs but a problem of the heuristics used to decide
if a transaction is fraudulent.
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the Dnssec-deployment