Re: [Design] Re: Wes Hardaker: opportunistic encryptiondeployment problems

[Stephen Kent <kent@bbn.com>]

Henry,

I agree that the DNS is a reasonable place to store certs, although 
some DNS experts don't agree with this view.

I also agree that a PKI that exactly mirrored the DNS would be a 
great feature. Unfortunately, this is not what you get from DNSSEC. 
DNSSEC tries to solve a different problem, and it avoids using cert 
formats, instead opting for key and sig records. Some of the problems 
that DNSSEC faces re widespread deployment are a direct result of the 
set of security services it attempts to provide, relative to DNS 
queries. Providing certs that bind DNS names to keys would not solve 
the same set of problems, but would be simpler.

We disagree on the merits of opportunistic encryption. For most 
organizations, the primary threat is one of unauthorized access, not 
massive passive wiretapping of Internet traffic. Thus encrypting lost 
of traffic, without providing accompanying access controls, might 
cause more harm (in the access control dimension) than good, e.g., by 
making it harder to perform intrusion detection, trace attacks, etc. 
However, to the extent that FreeS/WAN tries to address a concern to a 
user community that has a different threat model, one that is more 
focused on big brother than on hackers, I don't argue with your 
approach.

Steve

---

Follow-Ups:

• Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Derek Atkins <warlord@mit.edu>

References:

• Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: Require AH?
• Next by Date: RE: Traffic handling and key management "divide and coquer"
• Prev by thread: Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• Next by thread: Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• Index(es):
  • Main
  • Thread