On 07/10/2018 01:43 PM, Dave Lawrence wrote:
> In the large I agree with you, but I think there's more to it than
> that. If it pushed me DNSSEC records that I could verify myself from
> my own configured trust anchor, why can't I trust them then?
alternately, if i know that i'm going to verify the data in them some
other way (e.g. via X.509 certificate verification in a TLS connection),
is it even "trust" to say that you might be willing to try using the
data in those records to see whether you can create an authenticated
connection?
I'm not saying it's a slam dunk: there are privacy concerns in both
directions. but i think the situation is very context-specific. certain
clients have specific needs for these records to validate in some
particular ways, but other clients have different needs. I hope the
discussion will be very specific about which clients we're talking about
-- not just which specific transport the DNS records arrive over.
--dkg
--
Daniel Kahn Gillmor
Senior Staff Technologist
Speech, Privacy, and Technology Project
American Civil Liberties Union
+1.212.284.7336
OpenPGP fingerprint: 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
Pronouns: he/him/his
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
