On 6.11.2017 16:15, Paul Hoffman wrote: > Doesn't "I don't trust my parent's security policy" open up a million > cans of worms anyway? It feels like making this change to the default
1. The problem is that there were (and certainly will be) successfull hacks into registries, that seems just inevitable. 2. Vast majority of people will not bother with setting up own trust anchors. I.e. vast majority of people will not be affected by any brittlenes you envision. 3. The small fraction of people who configure their own TA do it for a reason. The reason I can see is "TA pinning". This provides users ability to to configure their critical systems in a way which turns successfull hack into my parent registry into Bogus status. Yes, it requires them to keep TA up-to-date, but that is the price you pay for pinning. > behavior will make validation more brittle (because people *will* forget > to update their lower-level trust anchors) in order to help a very small > number of people who could have made the configuration change themselves. Personally I do not see justification for 'trust DS or TA' behavior so I'm not willing to make security critical code paths more complex just for sake of having an unused configuration knob. In other words, "could have made the configuration change themselves" is not applicable here because the knob is not going to be available. I did my best to explain my reasoning, let me know if you can see some holes in the reasoning. -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop