DNSSEC indicator

Stuart can you elaborate on: 

 

I have been working on a new standard that would employ DNSSEC to reduce,

rather than increase, the amount of security information that users need to

be made aware of.  The standard removes the need for users to pay attention

to the browser padlock icon and other HTTPS indicators.

 

Thanks 

 

Dan Schutzer

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Stuart E. Schechter
Sent: Thursday, April 12, 2007 3:58 PM
To: Web Security Context WG
Subject: Re: DNSSEC indicator

 

 

I just realized I followed suit in sending this to the wrong address. -s

 

------ Forwarded Message

From: "Stuart E. Schechter" <ses@ll.mit.edu>

Subject: Re: DNSSEC indicator

 

> From: <michael.mccormick@wellsfargo.com>

 

> One issue SwedBank has run into as DNSSEC rolls out in Sweden (quoting
Kjell's

> presentation): "Will Microsoft and Mozilla implement a DNSSEC indicator in

> their browsers?"

...  

> My personal opinion is DNSSEC should probably be another input to the
agent

> security context display along with the others we've talked about (e.g.,

> SSL/TLS).  There are some practical obstacles to overcome -- for instance
the

> name resolver built into the client OS or browser has to be DNSSEC-capable
as

> a prerequisite for this -- but it seems it ought to be on the roadmap.  I

> believe DNSSEC has more potential benefit if it's visible to end users.

 

Michael:

 

   I'm a strong advocate of DNSSEC, but I'm certain it will fail users are

required to notice an indictor of its presence or absence.  SSL indicators

are visible to end users and users don't notice them.

 

   I have been working on a new standard that would employ DNSSEC to reduce,

rather than increase, the amount of security information that users need to

be made aware of.  The standard removes the need for users to pay attention

to the browser padlock icon and other HTTPS indicators.  When I've talked to

folks at Mozilla and on Microsoft's IE team, I've found the generally agree

that this is the area where DNSSEC can provide value to them.  Alas, because

it introduces a new record into the DNS, it is out of scope for this working

group.

 

   When it comes to security indicators, more is not necessarily better.

 

   Cheers

 

   Stuart

 

 

 

 

Received on Friday, 13 April 2007 11:03:43 UTC