Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

[Paul Wouters <paul@xelerance.com>]

On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote:

> But SSH would be much better if we could integrate the key
> distribution into a secured DNS.

See previous post. Already done and running.

> And self-signed SSL certs would be
> better if we could use hash values distributed through a secured DNS
> to verify them.

Yes. The CERT/CERTQ record is still a bit of a problem and needs some
work.

> If DNSSEC succeeds, the domain validated certificate business will
> have to either transform or eventually die. I think that for most CAs,
> the business opportunities from SSL+DNSSEC are greater than the
> opportunities from the current DV SSL business. DNSSEC cannot deploy
> unless the registrars have cryptography expperience, the CAs have that
> experience.

If you ask security researchers, it has been proven that CA's sacrificed
security for profitability. The CA model has failed to work. 2 second
validation based on email, md5 based * root certificates signed, etc etc.
The last two years saw a significant amount of attacks against CA's, and
CA's have seen their profit margin fall to near zero, so even if they
wanted to, they cannot increase security (you ask me a confirmation for
my cert, I'll go to this other ssl provider that doesn't).

CERT's in DNS(SEC) put the responsibility of the cert within the domain of
the customer. If they care, they can do their security. The time of
outsourcing security to CA's is over.

Paul