[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

Ondřej Surý ondrej.sury at nic.cz
Tue Jul 20 04:03:01 EDT 2010 

On 19.7.2010 18:48, Steingruebl, Andy wrote:
>> -----Original Message-----
>> [mailto:dnssec-deployment-bounces at dnssec-deployment.org] On Behalf
>> Of Paul Wouters
>>
>> And the current thinking/revival of moving SSL certs out of the (broken) CA
>> infrastructure and into the DNSSEC infrastructure. Another example could be
>> the browers querying for the existence of an "SSL" cert in DNS, and
>> automatically starting out using https instead of http. (I wonder if that could
>> be done with a new edns option or additional data to reduce this to one
>> query)
>
> First, a plug.  At the upcoming IETF there is a BoF scheduled to discuss a subset of these issues and explorer whether there is broader interest to start work on general policy mechanisms, etc. The charter for that work is here:
>
> HASMAT Charter Proposal
> http://www.ietf.org/mail-archive/web/hasmat/current/msg00006.html

I am not sure if it's wise to narrow this topic just to HTTP.  There are 
lot of other protocols which would benefit from CERTs in DNS.  SMTP, 
IMAP, POP3, Jabber, just to name few.

Ondrej

> Here are several things that are proposed or have been in the past:
>
> Storing Certificates in the Domain Name System (DNS)
> http://tools.ietf.org/html/rfc4398
>
> Storing HTTP Security Requirements in the Domain Name System -  draft-schechter-HTTPSSR-00.txt
> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/att-0332/http-ssr.html
>
> HTTP Strict Transport Security (HSTS)
> http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
>
> And, a few papers to reference:
>
> Web Sites Should Not Need to Rely On Users to Secure Communications
> http://www.andyozment.com/papers/24-ozment-dont-rely.pdf
>
> Bootstrapping the Adoption of Internet Security Protocols
> http://www.ll.mit.edu/mission/communications/ist/publications/060626_Schechter.pdf
>
> The Need for Coherent Web Security Policy Framework(s)
> http://w2spconf.com/2010/papers/p11.pdf
>
>
> --
> Andy


-- 
  Ondřej Surý
  vedoucí výzkumu/Head of R&D department
  -------------------------------------------
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury at nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112
  -------------------------------------------

More information about the Dnssec-deployment mailing list