Re: [TLS] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC

der Mouse <mouse@Rodents-Montreal.ORG> Tue, 05 October 2010 08:00 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0086E3A6BF0; Tue, 5 Oct 2010 01:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.46
X-Spam-Status: No, score=-8.46 tagged_above=-999 required=5 tests=[AWL=1.528, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9VKelxu700Ha; Tue, 5 Oct 2010 01:00:06 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG []) by (Postfix) with ESMTP id 5C03A3A6A6C; Tue, 5 Oct 2010 01:00:05 -0700 (PDT)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id EAA11862; Tue, 5 Oct 2010 04:00:55 -0400 (EDT)
Date: Tue, 5 Oct 2010 04:00:55 -0400 (EDT)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <201010050800.EAA11862@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
X-Composition-Start-Date: Tue, 5 Oct 2010 03:51:36 -0400 (EDT)
In-Reply-To: <>
References: <> <>
X-Mailman-Approved-At: Sun, 10 Oct 2010 17:22:31 -0700
Subject: Re: [TLS] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Oct 2010 08:00:07 -0000

>>> DNSSEC provides a "secure" association FROM the name TO the IP
>>> address.
>> Incorrect characterisation.  DNSSEC provides only for secure
>> distribution of DNS records.  Whether the distributed DNS records
>> are accurate or trustworthy is a completely distinct issue.
> I think secure distribution of DNS records implies secure
> distribution of name to IP associations.

Yes, it does, name-to-IP associations being one of the major things the
DNS is used for.

But the original statement was that DNSSEC provides "secure"
association from name to IP.  This is a stronger property than
providing secure distribution of name-to-IP mapping information; it
also implies that the creation of that information and its injection
into the distribution mechanisms are "secure" (whatever that means - I
note that none of these say what they are talking about being secure
against; perhaps I'm just missing context).

> Is a 3rd party CA is more or less (likely to be) trustworthy than the
> relevant domain administrator?

There are (at least moderately) common scenarios in which it's the one
way around; there are other similarly common scenarios in which it's
the other - at least for most types of trust; again, this doesn't give
much hint of the threat model of interest.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B