On Sat, 07 Sep 2013 18:50:06 -0700 John Gilmore <g...@toad.com> wrote: > It was never clear to me why DNSSEC took so long to deploy, [...] > PS: My long-standing domain registrar (enom.com) STILL doesn't > support DNSSEC records -- which is why toad.com doesn't have DNSSEC > protection. Can anybody recommend a good, cheap, reliable domain > registrar who DOES update their software to support standards from > ten years ago?
I believe you have answered your own question there, John. Even if we assume subversion, deployment requires cooperation from too many people to be fast. One reason I think it would be good to have future key management protocols based on very lightweight mechanisms that do not require assistance from site administrators to deploy is that it makes it ever so much easier for things to get off the ground. SSH deployed fast because one didn't need anyone's cooperation to use it -- if you had root on a server and wanted to log in to it securely, you could be up and running in minutes. We need to make more of our systems like that. The problem with DNSSEC is it is so obviously architecturally "correct" but so difficult to do deploy without many parties cooperating that it has acted as an enormous tar baby. Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography