- From: Dick Hardt <dick@sxip.com>
- Date: Thu, 26 Apr 2007 12:18:42 +0200
- To: "Dan Schutzer" <dan.schutzer@fstc.org>
- Cc: Thomas Roessler <tlr@w3.org>, michael.mccormick@wellsfargo.com, ses@ll.mit.edu, public-wsc-wg@w3.org, kjell.rydjer@swedbank.se, steve@shinkuro.com, public-usable-authentication@w3.org, Ben Laurie <benl@google.com>
fwiw I have always envisioned the significant impact of DNSSEC was to provide a "trusted" method for tying the public key used in TLS to the domain name bypassing the "leaky" CA infrastructure. -- Dick On 26-Apr-07, at 12:03 PM, Dan Schutzer wrote: > > Here is my take > > If they got the mapping from the domain name to the IP address > securely, it > indicates that they are at the correct web site (the site belonging > to the > url they typed in), so if they send sensitive information to the > site, it is > going to the correct site. However, if the connection is not > secured, then > the information can be intercepted by a man in the middle attack. > However, > if the link is TLS secured, then the information cannot be > intercepted in > transit. To be confident one's personal information is not being > stolen, one > would need to look at both indicators. > > -----Original Message----- > From: public-usable-authentication-request@w3.org > [mailto:public-usable-authentication-request@w3.org] On Behalf Of > Thomas > Roessler > Sent: Thursday, April 26, 2007 5:35 AM > To: michael.mccormick@wellsfargo.com > Cc: ses@ll.mit.edu; public-wsc-wg@w3.org; kjell.rydjer@swedbank.se; > steve@shinkuro.com; public-usable-authentication@w3.org > Subject: Re: DNSSEC indicator > > > (CC to the public comment list, since some folks who aren't on the > WG are copied on this conversation.) > > On 2007-04-13 13:33:25 -0500, michael.mccormick@wellsfargo.com wrote: > >> I still think DNSSEC will be more valuable if it's visible to the >> end user. True, most won't care. But some will, especially if >> it can be presented in an intuitive and jargon-free fashion in >> the UI. > > So, a user encounters a DNSSEC indicator. That means that they got > the mapping from the domain name to the IP address securely. It > doesn't tell them *anything* about the security of the conversation > that goes on on higher protocol levels. > > On the other hand, if TLS is in place, the security of the > connection doesn't really depend on DNSSEC, so the presence or > absence of that indicator wouldn't provide any particularly useful > information. > > Maybe one of you guys could enlighten me what user decision such an > indicator would reasonably support? > > Thanks, > -- > Thomas Roessler, W3C <tlr@w3.org> > > > > >
Received on Thursday, 26 April 2007 10:19:07 UTC