[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

[Otmar Lendl]

On 19.07.2010 14:29, Peter Koch wrote:
>
> Now, this may be all 'better than nothing' or 'good enough' or 'opportunistic'
> (in some positive spirit) or even 'not worse than what today's certificate
> practices', but the difference remains.  Think liability.

As I see it, the web security user-interface right now has a serious
shortcoming:

Right now it's either

* http:, meaning no security at all
* https: meaning encryption and MITM protection via server certs
* https + EV Certs, big green "all is fine" GUI

self-signed https is a bastard child right now that is actually better than
plain http, but not as secure as a fully PKI certified https:

The warning that the browser shows to the user makes it look like the site
is potentially dangerous, whereas in reality it's just http: plus
protection against passive wiretapping.

So anything that can tell the browser to use https with a given key instead
of plain http is a security benefit.

The real issue is how to present this to the user: What he gets is better
than plain http, but not as strong as PKI-backed https.

----------

On the other hand, the value of old-style https has been dropping for some
time now, thus the emergence of Extended-Validation Certs. This is where
the pages with real security requirements are right now, and the browser
vendors are providing appropriate GUI hints to the user for such certs.

With DNSSEC-backed certificates we now have the following security hierarchy:

* plain http
* selfsigned https:
* selfsigned https + DNSSEC record
* simple https: certificate
* EV https: certificate

The challenge is to provide the right hints to the user. For that, these 5
categories are too many, and might need simplification.

cheers,

otmar
-- 
-=-  Otmar Lendl  --  ol at bofh.priv.at  --  http://lendl.priv.at/  -=-