[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update
fweimer at bfk.de
Mon Jul 19 09:47:38 EDT 2010
* Joe Abley:
> On 2010-07-19, at 09:28, Florian Weimer wrote:
>> IMHO, the answer is to transparently upgrade to HTTPS within HTTP, and
>> continue to show the http:// protocol scheme at the UI level. Thus,
>> passive eavesdropping becomes impossible, but the user experience
>> stays the same (which is important because support calls because of
>> unexpected URL bar colors cost money).
> How would an existing application that has no privacy or security
> concerns, but which relies heavily upon intermediate caching, cope
> with such a scheme?
It's up to the cache to use the modified transport protocol. Same as
> What signalling is available to a legacy application?
Legacy applications simply won't upgrade to TLS.
> What might be the cost of unexpected certificate validation failures
You don't need to perform certificate validation at all when you show
an http:// URL. That's the beauty of this scheme.
> For busy web sites, is it not reasonable to think that SSL on every
> session might impose a significant CPU burden?
Maybe. But that's up to the site operators. I'm sure similar
arguments have been made against <IMG>. 8-)
> Seems to me that the only plausible deployment for such a protocol
> modification would be opt-in on at least the part of the server
> operator (if it became magically enabled in some version of IIS or
> Apache surely support memes would circulate rapidly advising that it
> be turned off), and arguably the client side (see above), which
> makes me think it's probably not deployable in any practical sense.
It worked for SMTP over TLS, though.
BTW, I don't think there is much DNSSEC can do here. There could be a
flag in DNS which says, "only use HTTPS to connect to a web server for
this name", but certificate processing would have to remain separate
for practical and political reasons.
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the Dnssec-deployment