[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley joe.abley at icann.org
Mon Jul 19 09:36:13 EDT 2010


On 2010-07-19, at 09:28, Florian Weimer wrote:

> IMHO, the answer is to transparently upgrade to HTTPS within HTTP, and
> continue to show the http:// protocol scheme at the UI level.  Thus,
> passive eavesdropping becomes impossible, but the user experience
> stays the same (which is important because support calls because of
> unexpected URL bar colors cost money).

How would an existing application that has no privacy or security concerns, but which relies heavily upon intermediate caching, cope with such a scheme? What signalling is available to a legacy application?

What might be the cost of unexpected certificate validation failures in terms of user confusion and corresponding helpdesk calls?

For busy web sites, is it not reasonable to think that SSL on every session might impose a significant CPU burden?

Seems to me that the only plausible deployment for such a protocol modification would be opt-in on at least the part of the server operator (if it became magically enabled in some version of IIS or Apache surely support memes would circulate rapidly advising that it be turned off), and arguably the client side (see above), which makes me think it's probably not deployable in any practical sense.


Joe


More information about the Dnssec-deployment mailing list