Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

"Jeffrey A. Williams" <> Mon, 11 October 2010 19:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 06D3D3A6B9C for <>; Mon, 11 Oct 2010 12:34:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.689
X-Spam-Status: No, score=-1.689 tagged_above=-999 required=5 tests=[AWL=0.910, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oYZ6sBA8Eo9R for <>; Mon, 11 Oct 2010 12:34:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3F8BA3A6B99 for <>; Mon, 11 Oct 2010 12:32:30 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327;; b=QSlX2bqbVfWsPhLSa33e51UuosIBc61Hl4wB9suYRd1REaVyEHxQ15gkk68cwDmW; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [] ( by with esmtpa (Exim 4.67) (envelope-from <>) id 1P5O6K-0003Oi-MB; Mon, 11 Oct 2010 15:32:00 -0400
Received: from by with HTTP; Mon, 11 Oct 2010 15:31:35 -0400
Message-ID: <>
Date: Mon, 11 Oct 2010 14:31:35 -0500 (GMT-05:00)
From: "Jeffrey A. Williams" <>
To: "Henry B. Hotz" <>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e5196068823a0a27a558847f75920d15f9ba66356350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
Cc: Michael StJohns <>, "" <>
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Oct 2010 19:36:49 -0000

Henry and all,

-----Original Message-----
>From: "Henry B. Hotz" <>
>Sent: Oct 5, 2010 1:32 AM
>To: "" <>
>Cc: "" <>rg>, "" <>rg>, Michael StJohns <>et>, "" <>rg>, "" <>
>Subject: Re: [TLS] [pkix]  Cert Enumeration and Key Assurance With DNSSEC
>On Oct 4, 2010, at 5:46 PM, Martin Rex wrote:
>>> DNSSEC provides a "secure" association FROM the name TO the IP address.
>>> But the DNS domain owner tends not to be the host owner so this asserted
>>> association may not reflect the intent of the host owner.
>>> Also, DNSSEC doesn't protect from IP hijacking (re-routing).
>> Incorrect characterisation.  DNSSEC provides only for secure distribution
>> of DNS records.  Whether the distributed DNS records are accurate or
>> trustworthy is a completely distinct issue.
>I think secure distribution of DNS records implies secure distribution of name to IP associations. 

I agree. 
>Whether those records are <whatever/> depends on the practices of the domain administrator.  Is a 3rd party CA is more or less (likely to be) trustworthy than the relevant domain administrator?

Good point IMO, and one that seems all to often to be missed or largely ignored for whatever
reason.  My answer to your nicely and simply possed question is that the 3rd party CA is less 
likely to be MORE trustworthy than the relevant domain administrator.  One can never know when
or if ones chosen CA goes rogue or has a corrupted or hacked Cert database.  Same can be said
for Trust Anchors.  However I am sure that many would disagree with my opinion here.  Additionally
similar can be said in respect to the relevant domain administrator.
>The opinions expressed in this message are mine,
>not those of Caltech, JPL, NASA, or the US Government.
>Henry.B.Hotz@jpl.nasa.govgov, or
>TLS mailing list


  As predicted some years ago now seems that Libya has taken
upon itself as the host nation of the .ly ccTLD to insure that
domain names registered in their name space are more 'Family
friendly' and in compliance with whatever standard(s) in Lybia
that would determine same...???  I wonder if such standards are
documented and articulated fully accordingly.

  Note: I wonder how many requests from various countries to
hosting services or Registrars for .com, .net, .org, .info, .mobi,
and or any other name space TLD, generic or otherwise, will be
recieving even more to a flood of requests/demands for DMCA takedown's
due to 'questionable content or use'?  My guess is the number will
be growing rather rapidly as will similar for IPv4 and IPv6 addresses
for similar reasons.  Of course this activity should give civil liberty
lawyers a boon in new business and be filling up the court dockets in 
some countries with such cases for years to come.