On 12/02/2016 02:37 AM, Terje Elde wrote:
On 02 Dec 2016, at 10:18, Alice Wonder <[email protected]> wrote:
DNSSEC locks the user into fingerprints signed by my private signing key. This
is not a signing key that the TLD has access to.
You can argue that a nefarious actor could create their own signing key and get
the TLD to sign the DS records associated with that key, but that is a very
visible action that would be seen in the DNS responses from the TLD. It's out
in the open.
Yes, unless you selectively serve out the signed records.
Quite honestly though, my main concern with DNSSEC as compared to HKPK is
adoption-rate really.
Yeah, I know DNSSEC adoption is presently rather low. For me personally,
popularity is not what warrants merit.
Microsoft Frontpage use to be extremely popular, that didn't make it a
good product.
The popularity of HPKP is the result of Google pushing it on the
industry after developing it in private themselves. They did not involve
the Internet community in its design until after it was already
implemented in Chrome.
I'm tired of letting Google rule the Internet. But that's not a
technical objection, technical objections I already listed, but it would
have been nice if HPKP could have been developed in an open manner where
those issues maybe could have been addressed before it was put into use.
_______________________________________________
Ach mailing list
[email protected]
http://lists.cert.at/cgi-bin/mailman/listinfo/ach
