Re: DNS vs PKI, was Quic: the elephant in the room

[Michael Thomas <mike@mtcc.com>]

On 4/10/21 11:31 AM, John Levine wrote:
> It appears that Viktor Dukhovni  <ietf@ietf.org> said:
>> Ben's claim that CAs are "more secure" than DNSSEC is demonstrably
>> in error in a world where all that CAs do is issue DV certs that
>> attest to "domain control".
> More than that, the security of your DNS depends on the providers in
> the chain between you and the root, which is typically short, and over
> which you have a lot of control. If you have a valuable domain, you
> can use a high security registrar that applies controls to zone
> changes. With PKI, your security is only as good as the worst of all
> of the CAs in someones browser, nearly all of which have no relation
> to you and most of which you've never heard of.
>
> This is not a new argument and I doubt we're going to say anything new here.
>
The jist of my post was not that there was something new, per se but 
that there are many companies like google, ms, apple who are in a good 
position to run an experiment and see how it pans out from a deployment 
standpoint. One of the good things to come out of quic and spdy is the 
revelation that if you own both ends of the platform, you don't have to 
get buy in to just see if you're on the right track or not. I mean I 
could build up an experiment just to show proof of concept, but I don't 
have the ability to see in the real world how much it helps like the 
real world data they got with quic and spdy.

Heck, maybe even IETF or W3C could have a hand in coordinating 
experiments so that they can be fed back to the appropriate working 
groups. Like I said, probably the biggest takeaway of quic is that we 
can prove whether something deserves more work or not instead of usual 
Build it and They Will Come failure mode which DANE seems to be 
suffering as well from what I can tell.

Mike