On Apr 19, 2013, at 13:36, Paul Hoffman wrote: > But what if that second factor is compromised?!?! :-)
I'm going out on a limb but I believe compromising two things is harder than compromising just one. Perhaps "harder or just as hard as" but not "is easier". At some point, the question is - what if the earth blows up? Seriously...so what I'm trying to do is make sure operators have the chance to do things right. If the IETF comes up with a process that has a single point of security engineering failure, it's a single point of failure in operations. If there are two or more factors, it is possible for me to split the roles around my organization. I might not, but I have the ability to do so. I work in a fairly large organization. If you look at just one line or business we have a separation between those that push the DS record around and those that have access to the key management machinery. In another area, some of the bits of this are embedded (or will be) in a completely separate location (architecturally) from the other half. (I'm not diving into that detail.) We didn't try to make "it" two factor, but that's the way it has naturally fallen out. And it turns out to be a good thing. It's harder to corrupt the practice. Again, that wasn't the goal, but in thinking over CDS and our position - and see a nice alignment. I'm not saying it's always this way. For smaller operations these functions might reside in one place, one person. And if we were forced to use a one-factor way, we'd work it but the result would be less than optimal. What I'm hammering is - give me, the operator, the ability to do my job right. I'm a bit frustrated when I'm handed technology that assumes I'll make the wrong choices and tries to shoe horn my operations into the one true way. That stifles innovation. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
