Re: From whence we came...

[Greg Hudson <ghudson@MIT.EDU>]

On Fri, 2002-01-04 at 13:56, Simon Josefsson wrote:
> > Unfortunately, "I get X dollar per cert" model prevents this from
> > happening. Imaging if InterNIC started to charge "$1 per host" and not
> > "$35 per domain" in 1995, we likely end up the same for DNS too.
> 
> We are headed in that direction with opt-in anyway, I think.  It will
> cost $35 to get foo.com but $35^x to get a foo.com that is DNSSEC signed.

Well, if that happens, then DNSSEC may be doomed to the same fate as the
web browser PKI.  But, some observations:

  * Historically, Verisign has faced greater scrutiny and been forced to
make more compromises in the DNS area than in the PKI area.

  * Technically, Verisign can't issue you a KEY record and make you not
sign sub-keys (or fingerprints of sub-keys, as in the NAPTR idea I've
been advocating) with it, as they can (in practice) with certificates. 
So, once I do get a KEY record from Verisign, I don't have to transact
with them again for each ssh key or each user.

  (I suppose they could start offering a new product where they manage
all your DNS information, without delegating, and then they could charge
you per key.  Whether they could get away with that goes back to how
accountable they are.)

  * Verisign doesn't run all the TLDs, and even some of the ones they do
run they aren't interested in extracting cash from.  Sure, if you want
to do web commerce you need a .com domain, but in that case you
presumably have a budget.

Incidentally, I don't think opt-in is relevant.  By my understanding,
the question isn't whether your NS record is signed, but whether you
have a KEY record signed in the .com zone.  Even without opt-in,
Verisign could (and likely will) charge extra to sign keys.