IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Martin Rex <mrex@sap.com> Mon, 14 February 2011 18:29 UTC

Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E3C153A6D7B for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 10:29:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.197
X-Spam-Level:
X-Spam-Status: No, score=-10.197 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttN20pp16rIu for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 10:29:00 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 4891F3A6D4D for <keyassure@ietf.org>; Mon, 14 Feb 2011 10:28:59 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1EITKCF008726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 14 Feb 2011 19:29:21 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102141829.p1EITKHc009151@fs4113.wdf.sap.corp>
To: henry.story@bblfish.net
Date: Mon, 14 Feb 2011 19:29:20 +0100
In-Reply-To: <B5AD961D-5495-4B45-8B69-4FB96524A238@bblfish.net> from "Henry Story" at Feb 14, 11 06:59:33 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2011 18:29:02 -0000

Henry Story wrote:
> 
> > The current approach of admins to run a TLS server with a bare public
> > key is to generate themselves a self-signed (X.509v1) Certificate.
> > That is probably what many folks are doing when protecting Web access to
> > their HomeNAS, Home DSL-router, Home DVB-s receiver, etc.
> > 
> > This works with the installed base, in particular with the installed
> > base of servers.  Though it doesn't work that well with Web Browsers
> > as clients.  In particular, many recent browers are pretty badly broken
> > when it comes to a sensible UI for servers using a self-signed cert.
> 
> Indeed, and this is why keyassure is going to be so useful for those people. 
> They must just be itching to pop their public keys in DNSSEC as soon as the 
> first browser vendors implement it. So you are guaranteed a large community
> to spread the word and give you feedback. And I think Browser Vendors will
> be very keen to implement this, as well as DNSSEC of course, given the
> terrible state of DNS.

Not at all.  The average Home user (private home DSL subscriber) is
not a DNS admin, let alone a DNSSEC admin.  So for accessing the Web-UIs
Home devices/equipment/gadgets, DANE will be mostly irrelevant.

But maybe some of the Browser maintainers fix their UIs and start
to distinguish direct access to local resources on private networks
(such as 192.169.x.x and 10.x.x.x and hostnames without domains attached)
from access to resources on the internet.  And stop behaving like nagware
for commercial CAs.

-Martin

v2.23.0 | Report a Bug | By Email