[148006] in cryptography@c2.net mail archive
Re: [Cryptography] DNSSEC = completely unnecessary?
daemon@ATHENA.MIT.EDU (Bill Stewart)
Mon Nov 4 23:33:18 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 04 Nov 2013 17:48:09 -0800
To: cryptography@metzdowd.com
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <18B88BE7-7E0B-4F6C-A2F6-9AF7E9637306@kinostudios.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
At 08:33 PM 11/3/2013, Greg <greg@kinostudios.com> wrote:
>In all my readings on it I kept walking away thinking that I
>understood its purpose, but I'd then come back at myself with the
>same question: what does it give us over HTTPS?
SSH isn't HTTPS. Nor are SFTP, SCP, etc.
IPSEC isn't HTTPS.
Outbound Email isn't HTTPS, even if it's sometimes TLS.
Inbound SMTP often isn't even TLS, but sometimes you want to check
where it came from.
DNS isn't HTTPS, but sometimes you want to trust it, or if you're Dan
Kaminsky you might want to tunnel ssh and video over it.
NFS isn't HTTPS, and sometimes you want to use DNS with it.
Printer protocols often aren't HTTPS.
There really are protocols that don't look like HTTP variants, but
use DNS. And DNSSEC has theoretically been around a long time, even
though in practice it got delayed for years and we did SSL/TLS instead.
DNSSEC doesn't protect you against exactly the same threats that
SSL/TLS CAs do - it does a better job of confirming that you're
talking to example.com when you think you are. Some CAs try to do a
better job of telling you that example.com belongs to The Example
Corporation, as opposed to examp1e.com (note the numeral "1") which
belongs to Scammers Inc., but you've got to be good at restricting
which CAs you believe.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography