RE: DNSSEC indicator from Dan Schutzer on 2007-04-26 (public-usable-authentication@w3.org from April 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Thu, 26 Apr 2007 09:32:07 -0400
To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, <beltzner@mozilla.com>
Cc: <public-usable-authentication@w3.org>
Message-ID: <028001c78807$49bc1500$6500a8c0@dschutzer>

Some things I find from a search engine, but others I type in - like my
bank, my company website, my drug website, even tvguide.com

 

  _____  

From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of Mary Ellen
Zurko
Sent: Thursday, April 26, 2007 9:13 AM
To: beltzner@mozilla.com
Cc: public-usable-authentication@w3.org
Subject: Re: DNSSEC indicator

 


Must be a lot of people who watch TV commercials and go to movies in the US
type in URLs. I see every movie commericial ending in one. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect





"Mike Beltzner" <beltzner@mozilla.com> 
Sent by: public-usable-authentication-request@w3.org

04/26/2007 08:44 AM


Please respond to
beltzner@mozilla.com


To

sthomas2@ups.com, public-usable-authentication-request@w3.org,
public-usable-authentication@w3.org


cc

 


Subject

Re: DNSSEC indicator

 


 

 




Like page encoding, the presence/absense of DNSSEC will be interesting to a
select few users, and should be relegated accordingly to secondary,
diagnostic UI. The client should - when DNSSEC actually exists in the wild -
be modified such that its presence or absence can be used to provide the
client (not the poor user, who doesn't care about the topsy-turvy world of
TCP/IP) with an additional criteria on which to base its security policy in
terms of how to treat the source content. This is purely an implementation
detail at the connection later plugging what Dick correctly termed a "leaky
hole". 

Oh, and in answer to the question of "who still types in URLs these days?",
it turns out that quite a lot of people do. By some metrics, as many as 30%
of starting a task pageloads. 

cheers,
mike
 

-----Original Message-----
From: <sthomas2@ups.com>
Date: Thu, 26 Apr 2007 08:19:32 
To:<public-usable-authentication@w3.org>
Subject: RE: DNSSEC indicator


Dick is quite right. DNSSEC could indeed provide another tool in the
toolbox to make sure that the network is doing what the user really
wants. My issue, though, is elevating the DNSSEC status to a
human-visible indication. The more indicators that are displayed to a
user, the less likely the user is to pay attention to them. Research is
already showing that users are ignoring the indications that browsers
give them today. For that reason, browser designers need to be very
parsimonious in displaying security indications and focus on showing
information that is really important. Given the relative rarity of
attacks involving improper name resolutions, a DNSSEC indication would
not seem to have enough value to justify its use.

Stephen 

-----Original Message-----
From: Dick Hardt [mailto:dick@sxip.com] 
Sent: Thursday, 26 April 2007 8:10 AM
To: Thomas Stephen (SKD8YPG)
Cc: public-usable-authentication@w3.org
Subject: Re: DNSSEC indicator


There is unlikely to be a single silver bullet that solves *all* the  
issues. It is useful to know that the client really is connected to  
www.micros0ft.com if that is what the client wants to connect to.

DNSSEC is not going to solve social phishing attacks, but it does  
enable other technology such as CardSpace etc. to have increased  
certainty on what is going on.

-- Dick

Received on Thursday, 26 April 2007 13:32:32 UTC