Bill Stewart
Tue, 25 Mar 2003 13:55:16 -0800
I get the impression that we're talking at cross-purposes here, with at least two different discussions. Let's look at several cases:
Some people are arguing "Many Sites with SSL Certs are Type 2, Not Type 1"
(No they're not! Yes, they are!)
Some people are arguing "There are lots of Type 3, so we should support them
better than we do today instead of requiring them to do Type 1"
(I suspect that's what Ian was really trying to say,
but most of the replies have been to the other question, e.g.
"There are lots of Type 3! No, there aren't many Type 2!
Yes there *are* lots of Type 3! No there ARENT'T many Type 2!"
........ "Yes, there are lots of 1a, but that doesn't imply 2!"
"Type 1+2 is 1% and 3+4 is 99%! No, 1b was fixed"One of the big reasons for DNSSEC was MITM protection, at least before virtual hosting took over, because it gave you a way to trust that the IP address you used was the correct IP address for the domain name you wanted, so you were probably talking to the right machine. Of course that doesn't get you ARP-spoofing protection, or eavesdropping protection unless you also use it as a crypto key or at least a signature key for DH parts, and doesn't protect you against other users on your machine (but a shared machine doesn't have much protection anyway, at least from root, so that was already part of your threat model, and that's another 1-vs-1a variant, like the heavy-duty lock on your apartment building front door when your own apartment door has a wimpy lock.)
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]