On Sun, Sep 11, 2011 at 8:37 AM, Douglas Huff <dh...@jrbobdobbs.org> wrote: > > On Sep 11, 2011, at 9:25 AM, Thierry Moreau wrote: >> >> E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of Named >> Entities (dane)) > > Which makes a huge assumption about DNS SEC that is just not realistic. > Namely, the one I just mentioned, that end clients would actually be > validating. Meaning that the MITM I mentioned becomes hilariously effective > in the vast majority of scenarios where the clients themselves are not doing > the validating. Giving a nice illusion of additional verification with no > substance.
It doesn't make that assumption at all, and way too many cycles were spent going over this problem repeatedly. All of the discussion has essentially required the client to end-to-end verify the answer, which given the amount of network breakage in the world that makes this difficult, is a serious wrinkle in attempts to deploy solutions like this. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography