To:
Simon Josefsson <simon+keydist@josefsson.org>
Cc:
keydist@cafax.se
From:
Greg Hudson <ghudson@MIT.EDU>
Date:
04 Jan 2002 16:26:10 -0500
Delivery-Date:
Fri Jan 4 22:26:15 2002
In-Reply-To:
<ilu7kqyvtam.fsf@josefsson.org>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
On Fri, 2002-01-04 at 13:56, Simon Josefsson wrote: > > Unfortunately, "I get X dollar per cert" model prevents this from > > happening. Imaging if InterNIC started to charge "$1 per host" and not > > "$35 per domain" in 1995, we likely end up the same for DNS too. > > We are headed in that direction with opt-in anyway, I think. It will > cost $35 to get foo.com but $35^x to get a foo.com that is DNSSEC signed. Well, if that happens, then DNSSEC may be doomed to the same fate as the web browser PKI. But, some observations: * Historically, Verisign has faced greater scrutiny and been forced to make more compromises in the DNS area than in the PKI area. * Technically, Verisign can't issue you a KEY record and make you not sign sub-keys (or fingerprints of sub-keys, as in the NAPTR idea I've been advocating) with it, as they can (in practice) with certificates. So, once I do get a KEY record from Verisign, I don't have to transact with them again for each ssh key or each user. (I suppose they could start offering a new product where they manage all your DNS information, without delegating, and then they could charge you per key. Whether they could get away with that goes back to how accountable they are.) * Verisign doesn't run all the TLDs, and even some of the ones they do run they aren't interested in extracting cash from. Sure, if you want to do web commerce you need a .com domain, but in that case you presumably have a budget. Incidentally, I don't think opt-in is relevant. By my understanding, the question isn't whether your NS record is signed, but whether you have a KEY record signed in the .com zone. Even without opt-in, Verisign could (and likely will) charge extra to sign keys.