[Discuss] free SSL certs from the EFF

[Richard Pieri]

On 12/7/2014 2:02 PM, Bill Horne wrote:
> Of course, theory and practice often differ in security, and we've all
> met mister "JustDoItOrYou'reFired" who likes to tell us to break the
> rules, but that isn't a technical problem. A well designed security
> suite will give Joe the option of sending his reports by encrypting them
> first with a few key clicks.

Therein lies what I consider to be the most egregious flaw in DNSSEC 
from an end user's perspective: no choice. Joe has no choice but to use 
it and accept that he can't work at all when it comes under attack 
assuming DNSSEC is being enforced which is contrary to DNSSEC mandatory 
requirements but that's a tangent. I'm not saying that DNSSEC is flawed 
(well, I think it is, but that's another tangent). I'm saying that 
DNSSEC is not an end user's tool and that you're going to experience 
serious problems if you try to use it as one.

In my opinion, a well-designed -- that is, well-designed for end users 
-- secure DNS system should provide reliable, authenticated answers 
despite attacks made against the system. DNSSEC does not do this. It 
doesn't try because, like I wrote way back at the start of all this, 
it's a last hop issue that lies outside of the scope of DNSSEC.

A few days ago Ed posited that we'll get there someday. Truth is, we've 
been there for some time. With DNSCurve and DNSCrypt we have exactly the 
kinds of encrypted DNS service that he called for. Why haven't they been 
widely adopted? I figure it's a "Paul Vixie, yes! DJB, no!" issue.

-- 
Rich P.