To:
Bill Manning <bmanning@isi.edu>
Cc:
Miek Gieben <miekg@atoom.net>, Mike StJohns <Mike.StJohns@nominum.com>, dnssec@cafax.se
From:
Ben Laurie <ben@algroup.co.uk>
Date:
Thu, 13 May 2004 11:55:27 +0100
In-Reply-To:
<200405102304.i4AN4CV13517@boreas.isi.edu>
Sender:
owner-dnssec@cafax.se
User-Agent:
Mozilla Thunderbird 0.5 (Windows/20040207)
Subject:
Re: dnssec: resolver - application communication
Bill Manning wrote: > % well, for one, it was the "problem" of applications going directly to > % the authoritative servers that lead to some rethinking. Secondly I > % believe that DNSSEC is here to give us detecting of attacks. So > % consider the following ssh example (as also used somewhere else in > % this thread): > % > % a user connects for the first time to a remote machine. Thanks to > % DNSSEC an attack is detected and a SERVFAIL is generated. Thanks to > % this the user will be unable to use ssh (for this host). Mission > % accomplished... > > Er... why am I uncomfortable w/ this example? > (trust is not transitive, trust is not transitive, trust is not..) Trust may not be transitive, but lack of trust surely is, isn't it? -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff