PHB,
...
is that really more "serve" than an ability to issue a credential
for ANY name, as in the Web PKI?
At least that is a temporary condition.
If CT is successful, yes.
Any trust infrastructure that ultimately rests on the common sense of
the US Congress and President is doomed in the long run. And there
isn't a better political solution on offer either.
common sense an the U.S. Congress, that's an uncommon pairing :-).
Finding a technical mechanism that reduces the dependence on the
political/policy dimension makes it much easier to address that layer.
If it is possible it is always far easier to eliminate a single point
of failure than to work out policy level controls to prevent abuse.
agreed.
...
If they already have a PKI then they are probably not interested in
DNSSEC at all because that problem is already solved and DNSSEC is the
red herring.
agreed, unless someone convinces them that the shiny new DNSSEC approach
to PKI is better, ...
Unless that is there is an interesting way to use DNSSEC as an
extension of the enterprise PKI. In which case it is critical that the
DNSSEC PKI does not introduce a new point of failure.
agreed,
That's a very confusing last phrase.
DNSSEC is still raw technology. Saying that it does not need feature X
before the full set of potential applications is premature. We don't
know what it is useful for yet. That is what we should find out.
Thanks for the clarification.
I understand their concerns. But the lack of a well-articulated architecture
for CT, much less a CT for DNSSEC, makes it hard for me to gauge whether
this is a good idea.
I find that looking at an additional field of application is often a
very good way to improve an underspecified architecture.
I guess so, but I'd really prefer a fully-specified architecture for
what purports to be the motivating case, before we claim its a good
basis for solving other problems. I think the potential DNSSEC mis-issuance
problems are different enough to merit a separate analysis and design
proposal.
Trans is rather too closely designed to solve one problem and it is
not even clear that it does that particularly well. There is a lot of
fuzziness in the process by which a relying party decides that a
particular value is the true Merkle tree apex of a particular log.
I agree.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
