On Thu, 22 May 2014, Osterweil, Eric wrote:
Without implying an presumption of expertise on DNS, I would argue that DNSSEC avoids the problems CT seems to be trying to solve by coupling its key learning (and verification) methods to the hierarchical namespace. As Steve said (I believe) PKIX != Web PKI, and the problems addressed by CT seem to be focused more on the latter. I don't think there is a key learning/verification dilemma in DNSSEC that CT is appropriate for.
There are some very visible and vocal people that have rejected DNSSEC flat out because it can be circumvented or co-erced by the higher up parental zones. They have an inherent distrust of the US Government, Verisign, ICANN, etc. In fact, they are often trying to replace the DNS with some peer-to-peer type solution for this very reason. I see CT-DNSSEC as a way to address that concern, and get those people onboard for DNS with DNSSEC security without the need for an alternative to DNS. Paul _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
