On 2/6/11 1:01 PM, Eddy Nigg wrote:
On 02/06/2011 07:11 PM, From Zack Weinberg:
I'm going to ask you the same question I asked Nelson: In a
hypothetical world where DNSSEC+TLSA completely supersedes DV (but
people still use OV/EV for high-value sites) what do you see as having
been lost? Or, turning it around, what value do you see DV signatures
from CAs as providing over and above that provided by DNSSEC+TLSA?
One of the points to consider is anti-phishing and flagging features
built into CAs systems (not all, but some). Ability to revoke
certificates by a responsible third party is however probably a strong
point in favor for CA issued certificates, CA provided warranties on top
yet another. There is certainly more into what CAs do, provide and stand
for besides the mere "point to point authentication".
Zack, arguing with Eddy on this point is a losing proposition.
DNSSEC+TLSA is has some demonstrably superior characteristics to CA DV,
but Eddy is not willing to concede this or even give detailed reasoning.
See for example this extensive thread from m.d.s.p:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/c52b6de458ad54be/e87ecb2e5d632244?lnk=gst&q=dnssec#54f6778267375e67
He has yet to actually address what I said in that thread:
"The potential strength of putting Keys-in-DNSSEC is that it locates
control of domain validation in the most logical place for it... in DNS.
The proposal starts with the observation that CA DV *already
inherently* relies on the DNS for validation (emails to the domain,
etc). Why is it likely to be more secure than CA DV? First of all, it
subtracts hundreds of otherwise-unrelated entities from the process and
provides a single clear and public trust path that the Subscriber gets
to choose. Indeed, this generates in the market a virtuous race to the
top rather than the current race to the bottom."
His only claim, which he makes again here, is that CAs are somehow
better than registrars/registries at being the internet intermediary
cops. As a policy matter, I don't want more internet intermediaries
with control over my communications, but he does. In any case, there is
ample evidence that the intermediaries in the DNS system can have their
hands forced by the government too (witness recent ICE domain seizures,
COICA, etc.) so even if I concede that more control is a good thing,
it's not at all clear that the CA model offers a comparative advantage.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
