On 2/10/11 1:25 PM, Eddy Nigg wrote:
On 02/10/2011 07:20 PM, From Steve Schultze:
Zack, arguing with Eddy on this point is a losing proposition.
DNSSEC+TLSA is has some demonstrably superior characteristics to CA
DV, but Eddy is not willing to concede this or even give detailed
reasoning.
Well, we know about the advantages and shortcomings of CAs, you still
have to provide a loot of proof about the supposed superiority of DNSSEC
and what potential shortcomings will be.
As I have said repeatedly (and you have never addressed) the CA DV model
relies on DNS and thus imports any vulnerabilities that exist in a
DNS-based model. CA DV blindly trusts DNS. The only thing it can do
relative to a pure-DNS approach is add more vulnerabilities.
I just mentioned in the previous mail a couple of arguments, perhaps
you've got some answer to those instead of ranting against me?
I won't bother restating the reasons why CAs provide no comparative
benefit when it comes to policing "bad behavior", presuming one even
considers that a good policy outcome. It's all already in that m.d.s.p
thread.
We have also already discussed warranties elsewhere. I'm happy to
discuss the problems with the legal structure underlying such warranties
and the problems with the liability caps on such warranties (to the
extent that such caps are enforceable), but the only venue in which the
warranties even claim to have any significant force is in the EV
context... a context in which I wholeheartedly agree that the certs
provide comparative benefit over DANE. So, I'm not sure we have
anything more to discuss on that point either. It's also extremely OT
for this newsgroup.
I'm not ranting against you. I'm trying to focus the discussion on
actual claims and verifiable facts.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto