On Fri, Oct 19, 2012 at 9:54 AM, Ben Laurie <[email protected]> wrote: > On 16 October 2012 15:48, Phillip Hallam-Baker <[email protected]> wrote: > > I think that is a rather naive assessment. > > > > Most of us do not want to be dependent on a single root of trust that is > > ultimately under the physical control of VeriSign and the legal control > of > > ICANN, a body whose insistence that it is above criticism should be > deeply > > troubling. Attempts to concentrate trust in one place have invariably > proved > > to be unstable. > > > > DLV is not the solution but it may be a useful contribution to a > solution. > > How about a solution that doesn't require you to trust anyone - namely > Certificate Transparency?
I would not go that far for CT. I think Transparency is the most important new idea in security for quite a while. But Transparency does not remove the need to trust the certificate issuer to do the job right. It merely creates a more effective feedback loop. While there is not a lot of difference in terms of the strength of the trust provided, the consequences for the cost of providing that cost are significant. CT does not eliminate the need for CAs to run their facilities correctly and validate cert requests effectively. All CT does is to create a new stick to beat the ones that don't. Now if you had actually created a mechanism that did not require trust at all and it was possible to administer it in a practical way (contra Sovereign Keys) then you could eliminate those costs. Now there might be a way to graft CT onto DNSSEC via DLV and maybe we should look at that as well. There is a big policy level incentive to do that as the mono-root structure is far too much of a liability right now. I don't think any of us would be at all comfortable with ITU running that root. And the SCO faction are certainly not going to accept ICANN running that root. So what we are headed for right now is a fracture of the root. At present I think we should concentrate on CT for PKIX. But if things spin out of control in Dubai we might well find that this is a much more urgent question. Though not one that is likely to be viable in IETF given the popularity of my IPv6 Sovereign Allocation proposal here. -- Website: http://hallambaker.com/
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
