W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: DNSSEC indicator

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Thu, 26 Apr 2007 06:03:38 -0400
To: "'Thomas Roessler'" <tlr@w3.org>, <michael.mccormick@wellsfargo.com>
Cc: <ses@ll.mit.edu>, <public-wsc-wg@w3.org>, <kjell.rydjer@swedbank.se>, <steve@shinkuro.com>, <public-usable-authentication@w3.org>, "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <013201c787ea$29fc3500$6500a8c0@dschutzer>

Here is my take

If they got the mapping from the domain name to the IP address securely, it
indicates that they are at the correct web site (the site belonging to the
url they typed in), so if they send sensitive information to the site, it is
going to the correct site. However, if the connection is not secured, then
the information can be intercepted by a man in the middle attack. However,
if the link is TLS secured, then the information cannot be intercepted in
transit. To be confident one's personal information is not being stolen, one
would need to look at both indicators.

-----Original Message-----
From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of Thomas
Roessler
Sent: Thursday, April 26, 2007 5:35 AM
To: michael.mccormick@wellsfargo.com
Cc: ses@ll.mit.edu; public-wsc-wg@w3.org; kjell.rydjer@swedbank.se;
steve@shinkuro.com; public-usable-authentication@w3.org
Subject: Re: DNSSEC indicator


(CC to the public comment list, since some folks who aren't on the
WG are copied on this conversation.)

On 2007-04-13 13:33:25 -0500, michael.mccormick@wellsfargo.com wrote:

> I still think DNSSEC will be more valuable if it's visible to the
> end user.  True, most won't care.  But some will, especially if
> it can be presented in an intuitive and jargon-free fashion in
> the UI.

So, a user encounters a DNSSEC indicator.  That means that they got
the mapping from the domain name to the IP address securely.  It
doesn't tell them *anything* about the security of the conversation
that goes on on higher protocol levels.

On the other hand, if TLS is in place, the security of the
connection doesn't really depend on DNSSEC, so the presence or
absence of that indicator wouldn't provide any particularly useful
information.

Maybe one of you guys could enlighten me what user decision such an
indicator would reasonably support?

Thanks,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Thursday, 26 April 2007 10:03:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:47 GMT