-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bob Harold wrote: > On Wed, May 20, 2015 at 1:55 PM, Joe Abley <jab...@hopcount.ca> > wrote: > >> ... I would also support (as I have heard others say before, and >> as I think I have also said) a separate document that provides >> advice to anybody else planning to deploy code that uses a >> DNS-like namespace that is not the DNS. Such people should either >> make their names unambiguously different from those used in the >> DNS, or should anchor them somewhere else in the namespace where >> defensive registrations in the DNS are less contentious. For >> example, if the Tor project had used "onion.eff.org" instead of >> "onion", we would not be having this conversation. Making such >> guidance available would make it far easier to deal with the >> future possibility that a decision with "onion" would set an >> unfortunate precedent. >> > ... The "onion.eff.org" idea only solves half of the problems - it > would prevent others from using the domain for something else, but > it fails to provide the required privacy - part of the requirement > is that the onion names NOT be sent to DNS servers at all, for > privacy.
The other reason this fails (partly linked to the privacy issue above) is because it puts the entire .onion domain in control of a single zone file. Even if the organization controlling that zone file is trustworthy, it only takes a single compromise (and who hasn't heard of DNS zones being hijacked?) for someone to add "legitimate" records for e.g. facebookcorewwwi.onion.eff.org pointing to malicious servers on the clearnet. This is not a privacy issue, it is a direct and abject compromise of the security properties expected of a .onion addres s. For apps that already have a centralized model, the suggestion is not as bad. But for .onion (and the .TLDs in the P2PNames draft), centralized control is exactly what the technical protocols are avoiding, and it is irresponsible to provide a "golden key" that could be used to subvert them. str4d > > -- Bob Harold > > > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVXkk+AAoJEBO17ljAn7Pgm8MP/iIh8IOPTIKiUd2Ka59P8iEg D+YJkMWD3IAuOER8cnGs2Nz7I5JGxxQdc5AUTUKmwnCHp9M7N2RQIuXWOczZ7izE /XzY9ZojgVb/CvDqPG5qTR8kAo+Q3NHX3r5Dj+dJJUmVpP3i5toHpekXSHtwBUm4 pieRpL/3x9GQHTqg2GAwsqEFHMK7821Wy4QBslt7Q8zb7CqS+0yLHyWYs1cYNXQp vKP92yR2UGiW+iwvQAAWlXnfFgzS4Rjrnkz8oMBuLa9zEa5r5puFAMoqSTmu8IcT i345lUQ7ZsQ3OzfILGsvisGhJ4cyGVFvm0qvbGZNC3FPReAyge3EoQUDrgme+Fsc hNRKwMjWL5NIHG8iPxs6Wu+u7QebYA/jBUQPNi1WgEpPeU5SRRStu45jOHtH/V8U t6+8tzu4pyqPEHoemfuSdxE3FvFTSaknba3iYhEXZIDAzF6FNTMuUUJqLekH6zCy +KA4K9f/NR/jOrUDkgV8f/x5HFApoZOnutOL4m/k7aNbK6gCIs/Lz/2NGD5MtZ6b 5GrQQixDrbarw7OpNeVv9v2bT4JP33vxf5ZexFUJg+jyyM0kzxaWMvmOANRAaDHf vorzDKCmMRDx6f4OxwWXfVe1nM7+DTzd2WS6YCoPSOf6cJBRKcuYj5sNk+Lp+XvD GX8ByEF3laN93RaLKDkA =hfI/ -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
