On 16/02/2021 15:58 Vittorio Bertola <[email protected]> wrote:
> Thanks for noting this. In general, I think that any solution for the > authentication of name servers should not depend on the WebPKI. The DNS is a > foundational block of the Internet - if it stops working, all services stop > working (except those based on the direct use of IP addresses), not just the > Web. The DNS should have as less dependencies as possible, and certainly not > depend on the policy and security mechanisms of specific application-layer > protocols. > > Also, requiring you to acquire a certificate from a Web CA would be quite a > change from the traditional model in which you could just run your own zone > without having to ask anyone for permission. It would introduce a > gatekeeping role and attribute it to a relatively small set of private > parties (again, centralization). The fact that certificates are currently > available for free is not a solution, first because there is no guarantee > that they always will, and second because this does not alleviate the > gatekeeping concerns. +1 to the general points made above about reducing resilience and increasing centralisation - IMHO any developments that increase the current drift towards centralisation should be treated with caution and may well be counter to RFC 8890, ditto those that reduce resilience. Andrew _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
