To:
Keith Moore <moore@cs.utk.edu>
Cc:
sommerfeld@orchard.arlington.ma.us, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Johan Ihren <johani@autonomica.se>
Date:
26 Mar 2002 13:30:13 +0100
In-Reply-To:
<200203260156.g2Q1u6t04164@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.3
Subject:
Re: My take on the BoF session
Keith Moore <moore@cs.utk.edu> writes: Keith, > > So, last I checked, the DNS root was *already* a critical service. > > Someone who can get bogus data into it can already cause no end of > > chaos. > > right, but placing an even greater trust it it does not seem wise. Isn't this a business opportunity for someone who does have experience with trust management to sell their services over DNSSEC in addition to other mechanisms? I.e. while I fully agree that the chain of trust from the public DNS root down to your random zone deep-down-in-the-tree may be difficult to assess, that could be improved by the CA selling service in the form of delegation of autonomica.customer.[some CA].com to me. Then you and I both aquire the trusted key for [some CA].com and things have suddenly improved from what we have today. Trust analysis becomes possible since there are no unknown entities between me and the CA and the public DNS root is out of the equation. True, the domainname is a bit more unwieldy. But depending upon the amount of trust that you're looking for that may or may not be acceptable. Is there something that I'm missing here that makes this unfeasible? Johan Ihrén [I'm not known to wear hats, especially not filled with security clue, but I do have a basic understanding of DNS]