[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Design] Re: Wes Hardaker: opportunistic encryptiondeployment problems
Henry,
I agree that the DNS is a reasonable place to store certs, although
some DNS experts don't agree with this view.
I also agree that a PKI that exactly mirrored the DNS would be a
great feature. Unfortunately, this is not what you get from DNSSEC.
DNSSEC tries to solve a different problem, and it avoids using cert
formats, instead opting for key and sig records. Some of the problems
that DNSSEC faces re widespread deployment are a direct result of the
set of security services it attempts to provide, relative to DNS
queries. Providing certs that bind DNS names to keys would not solve
the same set of problems, but would be simpler.
We disagree on the merits of opportunistic encryption. For most
organizations, the primary threat is one of unauthorized access, not
massive passive wiretapping of Internet traffic. Thus encrypting lost
of traffic, without providing accompanying access controls, might
cause more harm (in the access control dimension) than good, e.g., by
making it harder to perform intrusion detection, trace attacks, etc.
However, to the extent that FreeS/WAN tries to address a concern to a
user community that has a different threat model, one that is more
focused on big brother than on hackers, I don't argue with your
approach.
Steve
Follow-Ups:
References: