On Thu, Jan 26, 2012 at 04:34:07PM -0500, Phillip Hallam-Baker wrote:
> Getting defensive about problems is not going to solve them.
I'd like to know what you thought to be defensive in what I said. I
was merely trying to point out that we need to make distinctions about
pieces of the system if we are not to trip over ourselves trying to
solve multiple problems at once. ("All possible" is, frankly, a
preposteous scope. Universal quantification over possibility claims
lead to metaphysical problems. I'd prefer to talk about practical
methods to secure systems.)
DNSSEC and DANE are both designed with a particular purpose in mind:
ensuring that you got the data you should have received from the
(formally) correct server for that data. Pointing out that those
techniques don't solve some other problem -- in this case, that the
technically-correct server might not be the socially- or
intentionally-correct server -- is at least an equivocation. That is
not to say that those other issues are unimportant, and I didn't
suggest they were. On the contrary, I think they are important and I
think we need to think about them. But those other issues are not
evidence that DNSSEC and DANE don't or won't work.
We'll never get anywhere if we treat distinguishable problems as
though they're one big lump. I think calling the entire lump of all
the ways that data might get into the DNS plus all the ways you might
look things up in it "the DNS" obscures distinctions that are
extremely useful in thinking about the behaviour we want, and I cannot
see any benefit in talking about the entire system without at
the same time talking about the different parts and how those parts
affect the overall security. It's like talking about the etiology of
disease in mammals: maybe you can learn something from the
generalization, but the particular disease and mammalian species is
more likely to yield paths to useful inquiry.
A
--
Andrew Sullivan
a...@anvilwalrusden.com
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
