1 |
On Mon, Jun 16, 2014 at 2:49 PM, Michael Orlitzky <mjo@g.o> wrote: |
2 |
> The benefits of DNSSEC are debatable. We're moving the centralized trust |
3 |
> from one group of scumbags (the CAs) to another group of scumbags (the |
4 |
> registrars). So the benefits to authentication are not entirely clear-cut. |
5 |
> |
6 |
> But, DNSSEC will eventually allow us to do away with the SSL racket, and |
7 |
> that can only improve security through the widespread adoption of |
8 |
> encryption. So it's a good thing either way. |
9 |
|
10 |
While I agree with your concerns about trust, I think the good thing |
11 |
about DNSSEC is that you don't have to trust as many people. |
12 |
|
13 |
With the current SSL racket I need to trust all the folks in my |
14 |
browser's CA list to not mess with my connection. Any one of them has |
15 |
the power to spoof any website on the planet, and have you seen how |
16 |
long the list is? |
17 |
|
18 |
With DNSSEC the only person who can tamper with a connection is the |
19 |
domain owner, registrar, and TLD owner. So, while Verisign can tamper |
20 |
with a .com domain, they can't mess with a .uk domain, and at least |
21 |
the folks who buy a .com domain know who they're getting involved |
22 |
with. With SSL Verisign can spoof any domain there is anywhere, since |
23 |
the trust relationship in SSL is not limited to some domain. |
24 |
|
25 |
I'd like to see things improved further still, but DNSSEC is a big |
26 |
step in the right direction. |
27 |
|
28 |
Rich |