> Il 16/02/2021 00:23 Paul Wouters <[email protected]> ha scritto: > > Now you can choose: > > 1) Use DNS(SEC) for validation > 2) Use WebPKI[*] for validation > 3) TOFU > 4) Take at face value > [*] well, it's really trusting only LetsEncrypt CA[**] > [**] Which depends on insecure DNS records for authentication, so > in reality you need DNSSEC or WebPKI is just reduced to TOFU
Thanks for noting this. In general, I think that any solution for the authentication of name servers should not depend on the WebPKI. The DNS is a foundational block of the Internet - if it stops working, all services stop working (except those based on the direct use of IP addresses), not just the Web. The DNS should have as less dependencies as possible, and certainly not depend on the policy and security mechanisms of specific application-layer protocols. Also, requiring you to acquire a certificate from a Web CA would be quite a change from the traditional model in which you could just run your own zone without having to ask anyone for permission. It would introduce a gatekeeping role and attribute it to a relatively small set of private parties (again, centralization). The fact that certificates are currently available for free is not a solution, first because there is no guarantee that they always will, and second because this does not alleviate the gatekeeping concerns. -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange [email protected] Office @ Via Treviso 12, 10144 Torino, Italy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
