Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC

[Phillip Hallam-Baker <hallam@gmail.com>]

If the problem is the lack of checks and balances, the solution should be to
introduce checks and balances.

Moving from a market based solution with multiple CAs to a monopoly with one
trust provider does not help at all. It makes the situation much worse
because there is now no possibility of choice in the future.


This type of decision needs to be taken in the open with the proposers
clearly stating what they are about. The proposed charter as written
misleads the reader into thinking that what is being proposed is to use the
DNSSEC to provide one ADDITIONAL trust provider.

What is actually being proposed is to replace the fifteen year established
system of CAs with a new scheme starting in November.


If you read through the KEYASSURE archives, you will find that whenever the
proposers of this scheme are asked questions that they avoid answering them.
Most often they claim not to understand what is being asked.

I really don't think that we want to replace the existing infrastructure a
new PKI designed by people who claim not to understand the issues involved.
As the proposers of this scheme have done repeatedly.

This whole thing is being hurried through as if the proposers know that if
people actually stop and look at what is really being proposed that they
know the whole proposal will collapse.


Before we go any further with this, I want full disclosure. I want to know
the full extent of what is being proposed. I also want to know anything else
that might affect the consideration of this proposal.

The reaction to asking legitimate security questions has been really rather
awful. Whenever I ask a question, Paul Hoffman has immediately popped up to
claim that nobody can understand it, apparently in an attempt to divert
examination of the question into a flame war.

I do not think it is legitimate for a group of people to bully and threaten
away those of contrary views and then declare that they have achieved
'consensus'. That is the way Trotskyites take over political parties, they
call it 'entryism'.


On Sun, Oct 3, 2010 at 8:15 AM, Tony Finch <dot@dotat.at> wrote:

> On 3 Oct 2010, at 02:49, Marsh Ray <marsh@extendedsubset.com> wrote:
> >
> > In the meantime, we'd end up with the DNS root effectively having the
> power of yet another CA. Except that it's not, because the various arms of
> ICANN and VeriSign/Symantec are probably already trusted many times over.
>
> I agree with your points about the difficulty of rolling out DNSSEC key
> assurance and its coexistence with PKIX.
>
> But the above is a bit off-base, because the DNS has a lot of structural
> constraints that make it weaker than a CA. Although in theory the root zone
> operators could steal any arbitrary name, the organisational checks and
> balances prevent that. CAs have no significant external checks and balances.
> For example they don't have the equivalent of whois that allows third
> parties to check who has been issued a certificate for a particular name.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
>
>


-- 
Website: http://hallambaker.com/