[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

Florian Weimer fweimer at bfk.de
Mon Jul 19 09:47:38 EDT 2010 

* Joe Abley:

> On 2010-07-19, at 09:28, Florian Weimer wrote:
>
>> IMHO, the answer is to transparently upgrade to HTTPS within HTTP, and
>> continue to show the http:// protocol scheme at the UI level.  Thus,
>> passive eavesdropping becomes impossible, but the user experience
>> stays the same (which is important because support calls because of
>> unexpected URL bar colors cost money).
>
> How would an existing application that has no privacy or security
> concerns, but which relies heavily upon intermediate caching, cope
> with such a scheme?

It's up to the cache to use the modified transport protocol.  Same as
IPv6.

> What signalling is available to a legacy application?

Legacy applications simply won't upgrade to TLS.

> What might be the cost of unexpected certificate validation failures
> in terms of user confusion and corresponding helpdesk calls?

You don't need to perform certificate validation at all when you show
an http:// URL.  That's the beauty of this scheme.

> For busy web sites, is it not reasonable to think that SSL on every
> session might impose a significant CPU burden?

Maybe.  But that's up to the site operators.  I'm sure similar
arguments have been made against <IMG>. 8-)

> Seems to me that the only plausible deployment for such a protocol
> modification would be opt-in on at least the part of the server
> operator (if it became magically enabled in some version of IIS or
> Apache surely support memes would circulate rapidly advising that it
> be turned off), and arguably the client side (see above), which
> makes me think it's probably not deployable in any practical sense.

It worked for SMTP over TLS, though.

BTW, I don't think there is much DNSSEC can do here.  There could be a
flag in DNS which says, "only use HTTPS to connect to a web server for
this name", but certificate processing would have to remain separate
for practical and political reasons.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the Dnssec-deployment mailing list