W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: DNSSEC indicator

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Thu, 26 Apr 2007 06:51:59 -0400
To: "'Dick Hardt'" <dick@sxip.com>
Cc: "'Thomas Roessler'" <tlr@w3.org>, <michael.mccormick@wellsfargo.com>, <ses@ll.mit.edu>, <public-wsc-wg@w3.org>, <kjell.rydjer@swedbank.se>, <steve@shinkuro.com>, <public-usable-authentication@w3.org>, "'Ben Laurie'" <benl@google.com>
Message-ID: <018901c787f0$eb8b6370$6500a8c0@dschutzer>

I agree. So, DNSSEC provides me both a secure link and greater confidence
that I am speaking to the correct domain name

-----Original Message-----
From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of Dick Hardt
Sent: Thursday, April 26, 2007 6:19 AM
To: Dan Schutzer
Cc: Thomas Roessler; michael.mccormick@wellsfargo.com; ses@ll.mit.edu;
public-wsc-wg@w3.org; kjell.rydjer@swedbank.se; steve@shinkuro.com;
public-usable-authentication@w3.org; Ben Laurie
Subject: Re: DNSSEC indicator


fwiw I have always envisioned the significant impact of DNSSEC was to  
provide a "trusted" method for tying the public key used in TLS to  
the domain name bypassing the "leaky" CA infrastructure.

-- Dick

On 26-Apr-07, at 12:03 PM, Dan Schutzer wrote:

>
> Here is my take
>
> If they got the mapping from the domain name to the IP address  
> securely, it
> indicates that they are at the correct web site (the site belonging  
> to the
> url they typed in), so if they send sensitive information to the  
> site, it is
> going to the correct site. However, if the connection is not  
> secured, then
> the information can be intercepted by a man in the middle attack.  
> However,
> if the link is TLS secured, then the information cannot be  
> intercepted in
> transit. To be confident one's personal information is not being  
> stolen, one
> would need to look at both indicators.
>
> -----Original Message-----
> From: public-usable-authentication-request@w3.org
> [mailto:public-usable-authentication-request@w3.org] On Behalf Of  
> Thomas
> Roessler
> Sent: Thursday, April 26, 2007 5:35 AM
> To: michael.mccormick@wellsfargo.com
> Cc: ses@ll.mit.edu; public-wsc-wg@w3.org; kjell.rydjer@swedbank.se;
> steve@shinkuro.com; public-usable-authentication@w3.org
> Subject: Re: DNSSEC indicator
>
>
> (CC to the public comment list, since some folks who aren't on the
> WG are copied on this conversation.)
>
> On 2007-04-13 13:33:25 -0500, michael.mccormick@wellsfargo.com wrote:
>
>> I still think DNSSEC will be more valuable if it's visible to the
>> end user.  True, most won't care.  But some will, especially if
>> it can be presented in an intuitive and jargon-free fashion in
>> the UI.
>
> So, a user encounters a DNSSEC indicator.  That means that they got
> the mapping from the domain name to the IP address securely.  It
> doesn't tell them *anything* about the security of the conversation
> that goes on on higher protocol levels.
>
> On the other hand, if TLS is in place, the security of the
> connection doesn't really depend on DNSSEC, so the presence or
> absence of that indicator wouldn't provide any particularly useful
> information.
>
> Maybe one of you guys could enlighten me what user decision such an
> indicator would reasonably support?
>
> Thanks,
> -- 
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
Received on Thursday, 26 April 2007 10:52:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:47 GMT