[jdev] manifesto & DANE does not cut it

Tony Finch dot at dotat.at
Mon Nov 18 15:39:11 UTC 2013

Ralf Skyper Kaiser <skyper at thc.org> wrote:
> The user has to trust ALL keys and not just the single ROOT KEY.

That's true, but the amount of trust you have to put in high-level DNSSEC
keys is relatively limited. DNSSEC is aware of zone cuts, and high-level
keys cannot authenticate domain names below a zone cut. The DNS also
caches a lot, so if an attacker tries to redirect part of the namespace
without obtaining the corresponding private keys, they will cause
suspicious validation failures at sites where the proper public keys were

It would be nice to have something better than DNSSEC, but at least it has
a safer structure than X.509.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the JDev mailing list