W3C home > Mailing lists > Public > public-usable-authentication@w3.org > April 2007

Re: DNSSEC indicator

From: Dick Hardt <dick@sxip.com>
Date: Thu, 26 Apr 2007 12:18:42 +0200
Message-Id: <A2AB674A-926D-4180-BE4F-851BBF631A85@sxip.com>
Cc: Thomas Roessler <tlr@w3.org>, michael.mccormick@wellsfargo.com, ses@ll.mit.edu, public-wsc-wg@w3.org, kjell.rydjer@swedbank.se, steve@shinkuro.com, public-usable-authentication@w3.org, Ben Laurie <benl@google.com>
To: "Dan Schutzer" <dan.schutzer@fstc.org>

fwiw I have always envisioned the significant impact of DNSSEC was to  
provide a "trusted" method for tying the public key used in TLS to  
the domain name bypassing the "leaky" CA infrastructure.

-- Dick

On 26-Apr-07, at 12:03 PM, Dan Schutzer wrote:

>
> Here is my take
>
> If they got the mapping from the domain name to the IP address  
> securely, it
> indicates that they are at the correct web site (the site belonging  
> to the
> url they typed in), so if they send sensitive information to the  
> site, it is
> going to the correct site. However, if the connection is not  
> secured, then
> the information can be intercepted by a man in the middle attack.  
> However,
> if the link is TLS secured, then the information cannot be  
> intercepted in
> transit. To be confident one's personal information is not being  
> stolen, one
> would need to look at both indicators.
>
> -----Original Message-----
> From: public-usable-authentication-request@w3.org
> [mailto:public-usable-authentication-request@w3.org] On Behalf Of  
> Thomas
> Roessler
> Sent: Thursday, April 26, 2007 5:35 AM
> To: michael.mccormick@wellsfargo.com
> Cc: ses@ll.mit.edu; public-wsc-wg@w3.org; kjell.rydjer@swedbank.se;
> steve@shinkuro.com; public-usable-authentication@w3.org
> Subject: Re: DNSSEC indicator
>
>
> (CC to the public comment list, since some folks who aren't on the
> WG are copied on this conversation.)
>
> On 2007-04-13 13:33:25 -0500, michael.mccormick@wellsfargo.com wrote:
>
>> I still think DNSSEC will be more valuable if it's visible to the
>> end user.  True, most won't care.  But some will, especially if
>> it can be presented in an intuitive and jargon-free fashion in
>> the UI.
>
> So, a user encounters a DNSSEC indicator.  That means that they got
> the mapping from the domain name to the IP address securely.  It
> doesn't tell them *anything* about the security of the conversation
> that goes on on higher protocol levels.
>
> On the other hand, if TLS is in place, the security of the
> connection doesn't really depend on DNSSEC, so the presence or
> absence of that indicator wouldn't provide any particularly useful
> information.
>
> Maybe one of you guys could enlighten me what user decision such an
> indicator would reasonably support?
>
> Thanks,
> -- 
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
Received on Thursday, 26 April 2007 10:19:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT