On 2013-09-04 17:55, Mike Hoskins (michoski) wrote:
-----Original Message-----
From: Ondřej Surý <[email protected]>
Date: Wednesday, September 4, 2013 10:37 AM
To: "[email protected]" <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [dns-operations] Implementation of negative trust anchors?
On 22. 8. 2013, at 21:59, [email protected] wrote:
Our browsers give us the option to trust invalid TLS certificates,
some
even storing it indefinitely. Is an NTA much different?
And in certain circles it's considered by one of the biggest mistakes
that could have happened, and the reason why the whole PKI fails so
hard
now.
I just want to point out that vendors or software in general should
certainly ship secure by default, BUT also give users the option to
shoot
their own foot (with adequate documentation and shepherding away from
loading the gun).
That could work in community of geeks, but not in consumer electronics.
I believe in security, but also free choice.
I don't think this is about a free choice, but adhering to the protocol.
When the two seem to conflict, better education is the answer not
removing one's ability to
make choices. There will always be use cases the smartest can not
fathom
which make perfect sense to someone you have not met...no matter how
well
intentioned we are, I don't believe controlling someone else's destiny
through force alone is the right path. In my mind, this applies to
SSL/TLS, NTA, etc.
This is not technical, but philosophical question about where do you
draw the line. Is your bank limiting your free choice by not providing
the options to give free access to your money to random visitors?
O.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
