Re: [Trans] A counter-argument (Re: DNSSEC also needs CT)
Warren Kumari <warren@kumari.net> Sat, 10 May 2014 10:30 UTC
Return-Path: <warren@kumari.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9696E1A0210 for <trans@ietfa.amsl.com>; Sat, 10 May 2014 03:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZfwc5znwdyG for <trans@ietfa.amsl.com>; Sat, 10 May 2014 03:30:53 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id DB79D1A020E for <trans@ietf.org>; Sat, 10 May 2014 03:30:52 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id hi2so2421366wib.17 for <trans@ietf.org>; Sat, 10 May 2014 03:30:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Zk5yOn9pHHyUrvGsteQIeOogHLjOh7lhXH7PHGuVgKg=; b=VV1O5w3Zq+rcs1dadsoxBsEjkgHwlQ27mI1143YMmOKmzamcroySDOY7blKCkcXR+b nlS8WnKcar15QiV24KLeP2Hm9LsCMiFcDVThvWLK/TUuK/rffwrRwBtUVQp4LP7jHU8Z oFLXgWsXh/YgvupAhMhG2J8WL1ljWeQykDYXVMKtVlQCCXAobodF2MG53Riz3RSpdA2x dReqgQ7L8CyGdTtNXbL3iJMVzI78/Lq39+9SnWZQNaiphycQHIvVLgd10ybBUSuRYX5d FvvZ+oWi/dZfIlmzap0/Zksch09/IWk6ihjsV83hpMqyIu+AtzFJXIeAP/Cm+sRjmcy+ qT0w==
X-Gm-Message-State: ALoCoQm0NyEIE+S9WAE1rofGc+Qyul0/XzeyZ+A8kau79+ZrYRPlK+getuTG2Y32sW0GAD1l9B4i
MIME-Version: 1.0
X-Received: by 10.194.84.101 with SMTP id x5mr1250532wjy.52.1399717846746; Sat, 10 May 2014 03:30:46 -0700 (PDT)
Received: by 10.194.62.70 with HTTP; Sat, 10 May 2014 03:30:46 -0700 (PDT)
In-Reply-To: <CAK3OfOhAftFkw_L9sYUszmAkb_SbBHtTDmvTtWbjwG_Af7OMWQ@mail.gmail.com>
References: <CAK3OfOhAftFkw_L9sYUszmAkb_SbBHtTDmvTtWbjwG_Af7OMWQ@mail.gmail.com>
Date: Sat, 10 May 2014 06:30:46 -0400
Message-ID: <CAHw9_i+bSN9LdkFytsuMScN3=5wG4QKenNZt5oy6HSEBYWpGXA@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/7Zi-FTbaTbEAknUTxP5RR3kvGfY
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] A counter-argument (Re: DNSSEC also needs CT)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 May 2014 10:30:54 -0000
On Fri, May 9, 2014 at 9:06 PM, Nico Williams <nico@cryptonector.com> wrote: > A counter-argument would be that DNSSEC is like PKI with name > constraints done properly, and with most domains being children of > TLDs, there's really only two entities that can MITM them: the root > and the TLD registrars. ... and the (outsourced) DNS operator and the DNS parent(s) / registry.. This is also the set of folk who can update / return other answers for MX queries, and so, if willing to dink with stuff, could obtain a domain validated cert. I suspect we may be getting somewhat off topic for Trans, and into discussions we have had a number of times on the DANE list... W > > Therefore the risk of dishonest "CAs" is lower for DNSSEC than it is for PKI. > > I've seen skepticism about CT along the lines of "who will pay?" and > "it's just another tax". I don't think that should be dismissed out > of hand. But I do think that in the long run we should do anything > that we can do and that is economical (very important, that) to make > it easier to at least catch misbehaving CAs/registrars/... the jury > is still out as to whether CT be economical, right? > > Nico > -- > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans
- [Trans] A counter-argument (Re: DNSSEC also needs… Nico Williams
- Re: [Trans] A counter-argument (Re: DNSSEC also n… Warren Kumari