[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

[Joe Abley]

On 2010-07-19, at 09:47, Florian Weimer wrote:

> * Joe Abley:
> 
>> On 2010-07-19, at 09:28, Florian Weimer wrote:
>> 
>>> IMHO, the answer is to transparently upgrade to HTTPS within HTTP, and
>>> continue to show the http:// protocol scheme at the UI level.  Thus,
>>> passive eavesdropping becomes impossible, but the user experience
>>> stays the same (which is important because support calls because of
>>> unexpected URL bar colors cost money).
>> 
>> How would an existing application that has no privacy or security
>> concerns, but which relies heavily upon intermediate caching, cope
>> with such a scheme?
> 
> It's up to the cache to use the modified transport protocol.  Same as
> IPv6.

My point was that an intermediate cache can't provide appropriate credentials to allow certificate verification to succeed. However...

>> What might be the cost of unexpected certificate validation failures
>> in terms of user confusion and corresponding helpdesk calls?
> 
> You don't need to perform certificate validation at all when you show
> an http:// URL.  That's the beauty of this scheme.

... it seems that you are not interested in doing that anyway.

> BTW, I don't think there is much DNSSEC can do here.

I agree. If you don't care about certificate verification, then you also don't care about endpoint identification, so the problem space you're talking about is quite different from that which appears elsewhere in this thread.


Joe