On 8/09/13 21:24 PM, Perry E. Metzger wrote:
On Sat, 07 Sep 2013 18:50:06 -0700 John Gilmore <g...@toad.com> wrote:
It was never clear to me why DNSSEC took so long to deploy,
I believe you have answered your own question there, John. Even if we
assume subversion, deployment requires cooperation from too many
people to be fast.
One reason I think it would be good to have future key management
protocols based on very lightweight mechanisms that do not require
assistance from site administrators to deploy is that it makes it
ever so much easier for things to get off the ground. SSH deployed
fast because one didn't need anyone's cooperation to use it -- if you
had root on a server and wanted to log in to it securely, you could
be up and running in minutes.
It's also worth remembering that one reason the Internet succeeded was
that it did not need the permission of the local telcos and the purchase
of expensive ISO/OSI stuff from the IT companies in order to get up and
This lesson is repeated over and over again. Eliminate permission, and
win. Insert multiple permission steps and lose.
We need to make more of our systems like that. The problem with
DNSSEC is it is so obviously architecturally "correct" but so
difficult to do deploy without many parties cooperating that it has
acted as an enormous tar baby.
The cryptography mailing list