Re: DNSSEC indicator

Since I'm hearing lots of consensus that we want to minimize the number of
security indicators users have to pay attention to, I'm attaching my
proposal for using DNSSEC to reduce the number of these indicators.  The
proposed feature ensures that HTTPS works even if users ignore the padlock
icon.

I'm sending the proposal to this list only so that the group can know what
other efforts are underway---the proposal is not in scope for the group as
it adds a new record to the DNS.  However, since we're discussing both
DNSSEC and security indicators, it may be of interest to some of you.  If
you read it, I'd greatly appreciate your comments---just take them off list
and send them directly to me to avoid polluting the mailing list with
content that's out of scope.

Cheers

Stuart


> From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
> Date: Thu, 26 Apr 2007 06:22:16 -0700
> To: Dan Schutzer <dan.schutzer@fstc.org>, Dick Hardt <dick@sxip.com>
> Cc: Thomas Roessler <tlr@w3.org>, <michael.mccormick@wellsfargo.com>,
> <ses@ll.mit.edu>, <public-wsc-wg@w3.org>, <kjell.rydjer@swedbank.se>,
> <steve@shinkuro.com>, <public-usable-authentication@w3.org>, Ben Laurie
> <benl@google.com>
> Subject: RE: DNSSEC indicator
> Resent-From: <public-usable-authentication@w3.org>
> Resent-Date: Thu, 26 Apr 2007 13:23:40 +0000
> 
> 
> I think we are approaching this from the wrong angle.
> 
> Clearly DNSSEC is a feature that we need to address since it is an IETF
> standard that is planned for deployment within the period the recommendation
> is intended to be current. Not mentioning it would be rude.
> 
> 
> There are two questions to ask here, first how many security indicators can
> users cope with, second what level of security indicator does DNSSEC deserve?
> 
> If the answer to the first question is essentially binary, secure/not secure
> then DNSSEC alone is not going to cut it.
> 
> I suspect that we end up with three levels: no indicator, padlock, enhanced. I
> don't think that DNSSEC alone justifies a padlock either, not unless we
> somehow achieve a key exchange and encrypt the link.
> 
> 
> There are important uses for DNSSEC, presenting a browser security indicator
> is not one of them. I can well imagine future security profiles that might
> require DNSSEC.
>  
> 
>> -----Original Message-----
>> From: public-usable-authentication-request@w3.org
>> [mailto:public-usable-authentication-request@w3.org] On
>> Behalf Of Dan Schutzer
>> Sent: Thursday, April 26, 2007 6:52 AM
>> To: 'Dick Hardt'
>> Cc: 'Thomas Roessler'; michael.mccormick@wellsfargo.com;
>> ses@ll.mit.edu; public-wsc-wg@w3.org;
>> kjell.rydjer@swedbank.se; steve@shinkuro.com;
>> public-usable-authentication@w3.org; 'Ben Laurie'
>> Subject: RE: DNSSEC indicator
>> 
>> 
>> I agree. So, DNSSEC provides me both a secure link and
>> greater confidence that I am speaking to the correct domain name
>> 
>> -----Original Message-----
>> From: public-usable-authentication-request@w3.org
>> [mailto:public-usable-authentication-request@w3.org] On
>> Behalf Of Dick Hardt
>> Sent: Thursday, April 26, 2007 6:19 AM
>> To: Dan Schutzer
>> Cc: Thomas Roessler; michael.mccormick@wellsfargo.com;
>> ses@ll.mit.edu; public-wsc-wg@w3.org;
>> kjell.rydjer@swedbank.se; steve@shinkuro.com;
>> public-usable-authentication@w3.org; Ben Laurie
>> Subject: Re: DNSSEC indicator
>> 
>> 
>> fwiw I have always envisioned the significant impact of
>> DNSSEC was to provide a "trusted" method for tying the public
>> key used in TLS to the domain name bypassing the "leaky" CA
>> infrastructure.
>> 
>> -- Dick
>> 
>> On 26-Apr-07, at 12:03 PM, Dan Schutzer wrote:
>> 
>>> 
>>> Here is my take
>>> 
>>> If they got the mapping from the domain name to the IP address
>>> securely, it indicates that they are at the correct web
>> site (the site 
>>> belonging to the url they typed in), so if they send sensitive
>>> information to the site, it is going to the correct site.
>> However, if 
>>> the connection is not secured, then the information can be
>> intercepted 
>>> by a man in the middle attack.
>>> However,
>>> if the link is TLS secured, then the information cannot be
>> intercepted 
>>> in transit. To be confident one's personal information is not being
>>> stolen, one would need to look at both indicators.
>>> 
>>> -----Original Message-----
>>> From: public-usable-authentication-request@w3.org
>>> [mailto:public-usable-authentication-request@w3.org] On Behalf Of
>>> Thomas Roessler
>>> Sent: Thursday, April 26, 2007 5:35 AM
>>> To: michael.mccormick@wellsfargo.com
>>> Cc: ses@ll.mit.edu; public-wsc-wg@w3.org; kjell.rydjer@swedbank.se;
>>> steve@shinkuro.com; public-usable-authentication@w3.org
>>> Subject: Re: DNSSEC indicator
>>> 
>>> 
>>> (CC to the public comment list, since some folks who aren't on the
>>> WG are copied on this conversation.)
>>> 
>>> On 2007-04-13 13:33:25 -0500,
>> michael.mccormick@wellsfargo.com wrote:
>>> 
>>>> I still think DNSSEC will be more valuable if it's visible to the
>>>> end user.  True, most won't care.  But some will, especially if
>>>> it can be presented in an intuitive and jargon-free fashion in
>>>> the UI.
>>> 
>>> So, a user encounters a DNSSEC indicator.  That means that they got
>>> the mapping from the domain name to the IP address securely.  It
>>> doesn't tell them *anything* about the security of the conversation
>>> that goes on on higher protocol levels.
>>> 
>>> On the other hand, if TLS is in place, the security of the
>>> connection doesn't really depend on DNSSEC, so the presence or
>>> absence of that indicator wouldn't provide any particularly useful
>>> information.
>>> 
>>> Maybe one of you guys could enlighten me what user decision such an
>>> indicator would reasonably support?
>>> 
>>> Thanks,
>>> -- 
>>> Thomas Roessler, W3C  <tlr@w3.org>
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
>> 
> 

Received on Thursday, 26 April 2007 15:33:56 UTC