Re: Browser security warning from Stuart E. Schechter on 2006-12-28 (public-wsc-wg@w3.org from December 2006)

From: Stuart E. Schechter <ses@ll.mit.edu>
Date: Thu, 28 Dec 2006 10:47:54 -0500
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: <public-wsc-wg@w3.org>
Message-ID: <C1B9515A.DF85%ses@ll.mit.edu>

> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>    IETF RFC 4398 provide a mechanism with which to use DNSSEC to
>> authenticate a site certificate using DNSSEC.  No commercial CA needed.
> 
> DNSSEC would be a great thing to have. Pity we don't.

   Microsoft will be supporting DNSSEC in Vista SP1.

   DHS, NIST, and the Department of Commerce have circulated a plan for
getting the root signed.

   You can check with Phil, but last I checked VeriSign has indicated that
it will start signing .com after NSEC3 (with opt-in) is ready and it
undergoes a testing period.  From my understanding NSEC3 standardization is
wrapping up.
 
> And while there are a few proposals for putting security stuff into
> DNS, those are all controversial.

   The security of today's low-assurance PKI business infrastructure is
controversial.  We rely on it anyway.

> that's worth  pursuing, but just not here (since that'd be a new
> protocol).

   How are you defining new here?

Received on Thursday, 28 December 2006 16:05:54 UTC