Dave Cridland <[email protected]> wrote: > > DNSSEC relies on trusting IANA; there is one single Trust Anchor for the > entire DNS (DLV aside, anyway).
However the extent to which you need to trust IANA is minuscule compared to the extent to which you are obliged to trust every x.509 CA. IANA essentially acts only as the DNSSEC root key holder, and it has no power to hijack identities or to misdirect them because of the political and operational restrictions on modifying the root zone. Even without those restrictions it can only hijack millions of domains at a time which is hard to do stealthily. You put a much greater degree of trust in your TLD registry. In particular you are relying on them not to hijack or misdirect your domain, and to prevent their registrars from making malicious updates. You do not need to trust other TLD registries. > But the trust only extends to trusting the records; you might be assured > that the record you receive really is from example.org, for example, but > there's no telling who example.org *is*. This is also true for most CA certificates since they are domain validated. EV certs are expensive and relatively rare, and I expect they will suffer a race to the bottom just like standard certs did. > X.509 certificates rely on having a common Trust Anchor - in effect. Hundreds of trust anchors, many of which are not trustworthy. > At least one approach to authentication relies on both. The idea is to use > DNSSEC to locate certificates - largely ignoring the domain name information > within - but to use the CAs to provide extended validation above and beyond > mere domain-name validation. https://datatracker.ietf.org/wg/dane/ DANE also allows you to restrict which CAs are used to for certificate validation, so you can protect yourself against rogue CAs. Sorry, no on-topic content in this post. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor.
