I believe the perspectives approach is better, but it seems difficult to implement over the DNS since you can't escape its organizational warts. I think an approach like Certificate Transparency would be even better.
/Simon You wrote: > I've begun to propose an alternative to DNS/DANE, the PERSPECTIVES > project from CMU, in version 01 of the problem statement: > http://datatracker.ietf.org/doc/draft-malbrain-tls-strong-authentication. > Have you considered what changes to the DNS system would address your > concerns? I've proposed encrypted and authenticated connections in > another thread. Karl Malbrain > > ________________________________ > From: Simon Josefsson <[email protected]> > To: Karl Malbrain <[email protected]> > Cc: perpass <[email protected]>; Stephen Farrell > <[email protected]> Sent: Tuesday, September 24, 2013 3:48 AM > Subject: Re: [perpass] tld strong authentication deployment draft > > > Karl Malbrain <[email protected]> writes: > > > I've uploaded a draft on tls strong authentication deployment: > > > > http://datatracker.ietf.org/doc/draft-malbrain-tls-strong-authentication > > Any comments would be appreciated. > > I believe that anything based on DNS is the wrong way forward if your > problem statement involve well funded adversaries. I think DNS-based > distribution of keying material is a good way to simplify and > bootstrap opportunistic encrypted channels, however, it would not > provide strong authentication in the way that I would like to define > it. > > /Simon > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
