To:
Keith Moore <moore@cs.utk.edu>
Cc:
Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date:
Mon, 25 Mar 2002 20:24:58 -0500
In-Reply-To:
Message from Keith Moore <moore@cs.utk.edu> of "Mon, 25 Mar 2002 20:11:39 EST." <200203260111.g2Q1Bdt03978@astro.cs.utk.edu>
Reply-To:
sommerfeld@orchard.arlington.ma.us
Sender:
owner-keydist@cafax.se
Subject:
Re: My take on the BoF session
> what does "moderate levels of assurance" mean? not everyone will > agree that the dnssec delegation model provides such, particularly > when an untrustworthy root or TLD zone poses a significant threat > to large numbers of users. So, last I checked, the DNS root was *already* a critical service. Someone who can get bogus data into it can already cause no end of chaos. (oh, BTW, commercial CA's have the same kind of potential assurance problems on the database input side that DNS registrars have -- witness the fraudulent microsoft certificate which was issued in recent memory). > I'm not sure that "minimal to no preconfiguration" is even compatible > with "moderate levels of assurance", since not everyone trusts the > same kind of assurance mechanism. By "moderate" I mean "better than what ssh uses today by default, and not as painful as what you typically have to go through to set up x.509". Maybe I should have said "low" assurance and called what ssh does "no" assurance. - Bill