On 28 Apr 2014, at 23:07, Douglas Otis wrote:
> > > On Apr 28, 2014, at 2:32 PM, Trevor Freeman <[email protected]> > wrote: > >> I spoke to soon. While the US government domains is signed, the actual web >> site is not in many cases. >> For example: >> www.dhs.gov is a cname entry www.dhs.gov.edgekey.net which is unsigned. >> This is in turn a CNAME to another unsigned domain >> >> www.dhs.gov.edgekey.net is a CNAME to e6485.dscb.akamaiedge.net > > Dear Trevor, > > Yes, there are many such CNAME wildcards in use. A poor practice from many > perspectives. > > Comcast has been helpful in vetting DNSSEC use. See http://dns.comcast.net. > http://tools.ietf.org/html/draft-start-tls-over-dns-00 solves many deployment > and privacy issues. DNSSEC should be considered a much needed work in > progress. > > Regards, > Douglas Otis PKI already suffers from the fact that its trust anchors do not align well (or, usually, at all) with the trust factors that underpin applications/services. Cloud architectures seem to me to exacerbate that state of affairs, because they often introduce a further level of abstraction in the certificate structure. I've seen this in two forms, each of which bears similarities to the akamai example Trevor cited above: 1 - you visit "nakedfurries.com" (sorry, Warren ;^) ) but because their website is hosted, you see certificates for "cloudstorm.net" instead or as well, which doesn't contribute anything meaningful to the user's assessment of trust; 2 - the cloud service provider adds seemingly random qualifiers to the certificate label ( e.g. fjdo7pspddlfhe544gr6g.servicename.com). Again, this doesn't add to the user's trust assessment, and can look suspiciously as though the cert label is being used as the vehicle for a unique tracking ID. Yrs., Robin > > >> From: perpass [mailto:[email protected]] On Behalf Of Trevor Freeman >> Sent: Monday, April 28, 2014 2:17 PM >> To: Noel David Torres Taño; [email protected] >> Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? >> >> Hi Noel, >> >> If DNNSEC is used in corporations, that may be an interesting data point but >> perpass is specify looking at the interne so it does not help much. >> >> I understand they could be some benefit to adding some other filter to the >> data but the number to try and try to add a better quality metric. But >> absent that, the number is what is it. Happy to have the discussion on how >> we would consider what to filter on and maybe Verisign could provide more >> attributes with the data for use to mine the information. >> >> I did some ad-hoc research and amongst the prominent internet services or >> financial institutions, the seems little evidence of DNSSEC. The only >> bright spot seemed to be government web sites, though here the deployment >> was still inconsistent in that government agencies have many web sites not >> part of the base domain and these were often not signed. >> >> Trevor >> >> -----Original Message----- >> From: perpass [mailto:[email protected]] On Behalf Of Noel David >> Torres Taño >> Sent: Monday, April 28, 2014 1:02 PM >> To: [email protected] >> Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? >> >> El lun, 28-04-2014 a las 18:38 +0000, Trevor Freeman escribió: >> > We have a range of technologies in the toolkit to address issues >> > identified by perpass. >> > >> > >> > >> > One of the candidate technologies is DNSSEC. At a technology level it >> > has much to commend it. >> > >> > >> > >> > The vast majority of critical TLDs are signed, so another good point >> > in its favor. >> > >> > >> > >> > However when you look at the next tier down, the statistics point to a >> > problem. >> > >> > >> > >> > According to the Verisign labs scoreboard, 340K+ domains in the .com >> > namespace are secured by DNSSEC >> > >> > http://scoreboard.verisignlabs.com/ >> > >> > >> > >> > If you express that number as % that is about 0.4% and the growth >> > trend is about 0.1% per year >> > >> > http://scoreboard.verisignlabs.com/percent-trace.png >> > >> > >> > >> > The trend seems about 2 orders of magnitude below where we need to be >> > for DNSSEC to be viable in a realistic timescale. >> > >> > >> > >> > Am I misinterpreting the data? If not, then do we have consensus on >> > what is blocking deployment? >> > >> > >> > >> > Trevor >> > >> > >> > >> Which are the numbers for .org ? >> >> This one should have a little percentage of garbage, parked domains, etc. >> Moreover, it is kess used by corporations with large IT departments and more >> used by small organizations like Libre Software projects. >> >> And it is very important to trust the software you download. >> >> Regards >> >> Noel >> er Envite >> >> _______________________________________________ >> perpass mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/perpass > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
