[146773] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Sat Sep 7 17:03:09 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <522AEF9C.5010801@iang.org>
Date: Sat, 7 Sep 2013 16:12:54 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: ianG <iang@iang.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1096318802671450234==
Content-Type: multipart/alternative; boundary=001a11c3836cc3ff8f04e5d0c7b3
--001a11c3836cc3ff8f04e5d0c7b3
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Sep 7, 2013 at 5:19 AM, ianG <iang@iang.org> wrote:
> On 7/09/13 10:15 AM, Gregory Perry wrote:
>
> Correct me if I am wrong, but in my humble opinion the original intent
>> of the DNSSEC framework was to provide for cryptographic authenticity
>> of the Domain Name Service, not for confidentiality (although that
>> would have been a bonus).
>>
>
>
> If so, then the domain owner can deliver a public key with authenticity
> using the DNS. This strikes a deathblow to the CA industry. This threat
> is enough for CAs to spend a significant amount of money slowing down its
> development [0].
>
> How much more obvious does it get [1] ?
>
Good theory only the CA industry tried very hard to deploy and was
prevented from doing so because Randy Bush abused his position as DNSEXT
chair to prevent modification of the spec to meet the deployment
requirements in .com.
DNSSEC would have deployed in 2003 with the DNS ATLAS upgrade had the IETF
followed the clear consensus of the DNSEXT working group and approved the
OPT-IN proposal. The code was written and ready to deploy.
I told the IESG and the IAB that the VeriSign position was no bluff and
that if OPT-IN did not get approved there would be no deployment in .com. A
business is not going to spend $100million on deployment of a feature that
has no proven market demand when the same job can be done for $5 million
with only minor changes.
CAs do not make their money in the ways you imagine. If there was any
business case for DNSSEC I will have no problem at all finding people
willing to pay $50-100 to have a CA run their DNSSEC for them because that
is going to be a lot cheaper than finding a geek with the skills needed to
do the configuration let alone do the work.
One reason that PGP has not spread very far is that there is no group that
has a commercial interest in marketing it.
At the moment revenues from S/MIME are insignificant for all the CAs.
Comodo gives away S/MIME certs for free. Its just not worth enough to try
to charge for right now.
If we can get people using secure email or DNSSEC on a large scale then CAs
will figure out how to make money from it. But right now nobody is making a
profit from either.
--
Website: http://hallambaker.com/
--001a11c3836cc3ff8f04e5d0c7b3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Sat, Sep 7, 2013 at 5:19 AM, ianG <span dir=3D"ltr"><<a href=
=3D"mailto:iang@iang.org" target=3D"_blank">iang@iang.org</a>></span> wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
-left:1px #ccc solid;padding-left:1ex">
<div class=3D"im">On 7/09/13 10:15 AM, Gregory Perry wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Correct me if I am wrong, but in my humble opinion the original intent<br>
of the DNSSEC framework was to provide for cryptographic authenticity<br>
of the Domain Name Service, not for confidentiality (although that<br>
would have been a bonus).<br>
</blockquote>
<br>
<br></div>
If so, then the domain owner can deliver a public key with authenticity usi=
ng the DNS. =A0This strikes a deathblow to the CA industry. =A0This threat =
is enough for CAs to spend a significant amount of money slowing down its d=
evelopment [0].<br>
<br>
How much more obvious does it get [1] ?<br></blockquote><div><br></div><div=
>Good theory only the CA industry tried very hard to deploy and was prevent=
ed from doing so because Randy Bush abused his position as DNSEXT chair to =
prevent modification of the spec to meet the deployment requirements in .co=
m.</div>
<div><br></div><div>DNSSEC would have deployed in 2003 with the DNS ATLAS u=
pgrade had the IETF followed the clear consensus of the DNSEXT working grou=
p and approved the OPT-IN proposal. The code was written and ready to deplo=
y.=A0</div>
<div><br></div><div>I told the IESG and the IAB that the VeriSign position =
was no bluff and that if OPT-IN did not get approved there would be no depl=
oyment in .com. A business is not going to spend $100million on deployment =
of a feature that has no proven market demand when the same job can be done=
for $5 million with only minor changes.</div>
<div><br></div><div><br></div><div>CAs do not make their money in the ways =
you imagine. If there was any business case for DNSSEC I will have no probl=
em at all finding people willing to pay $50-100 to have a CA run their DNSS=
EC for them because that is going to be a lot cheaper than finding a geek w=
ith the skills needed to do the configuration let alone do the work.</div>
<div><br></div><div>One reason that PGP has not spread very far is that the=
re is no group that has a commercial interest in marketing it.</div><div><b=
r></div><div>At the moment revenues from S/MIME are insignificant for all t=
he CAs. Comodo gives away S/MIME certs for free. Its just not worth enough =
to try to charge for right now.=A0</div>
<div><br></div><div>If we can get people using secure email or DNSSEC on a =
large scale then CAs will figure out how to make money from it. But right n=
ow nobody is making a profit from either.</div></div><div><br></div><div>
<br></div>-- <br>Website: <a href=3D"http://hallambaker.com/">http://hallam=
baker.com/</a><br>
</div></div>
--001a11c3836cc3ff8f04e5d0c7b3--
--===============1096318802671450234==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1096318802671450234==--
