[security] DNS-SEC the solution?
Ben Laurie
benl at google.com
Fri Aug 8 19:32:02 UTC 2008
On Fri, Aug 8, 2008 at 8:13 PM, Dick Hardt <dick at sxip.com> wrote:
>
> On 8-Aug-08, at 11:13 AM, Ben Laurie wrote:
>
>> On Fri, Aug 8, 2008 at 6:37 PM, Dick Hardt <dick at sxip.com> wrote:
>>>
>>> What if OpenID required DNS-SEC critical parts of the protocol?
>>>
>>> The objective is to bind of the DNS identifiers to documents.
>>>
>>> This could be a driver for DNS-SEC. Thoughts on this Ben?
>>
>> DNSSEC certainly solves the underlying DNS problem, and definitely
>> could be extended to solve all sorts of other problems.
>>
>> Whether problems in OpenID will be found signfiicantly more compelling
>> than existing arguments is another question.
>
> Would you elaborate or provide a pointer? Your wisdom here would be really
> useful!
Well. The underlying issues are:
a) The root must be signed. This means you are buried in ICANN mire.
b) For the large registrars the cost (operational and capital) of
DNSSEC is significant. Millions. Lots of millions.
c) No-one's really figured out what you actually do when the
verification fails - tell the user? Fail utterly?
d) If the user does DNSSEC then how do they configure root keys and do rollover?
e) If the user instead relies on an upstream server, then:
1. are they any better off? the last mile becomes the target.
2. how do you report errors?
f) Most people don't care.
More information about the security
mailing list