[dns-operations] Implementation of negative trust anchors?

Mike Hoskins (michoski) michoski at cisco.com
Wed Sep 4 15:55:37 UTC 2013

-----Original Message-----

From: Ondřej Surý <ondrej.sury at nic.cz>
Date: Wednesday, September 4, 2013 10:37 AM
To: "WBrown at e1b.org" <WBrown at e1b.org>
Cc: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] Implementation of negative trust anchors?

>On 22. 8. 2013, at 21:59, WBrown at e1b.org wrote:
>> Our browsers give us the option to trust invalid TLS certificates, some
>> even storing it indefinitely.  Is an NTA much different?
>And in certain circles it's considered by one of the biggest mistakes
>that could have happened, and the reason why the whole PKI fails so hard

I just want to point out that vendors or software in general should
certainly ship secure by default, BUT also give users the option to shoot
their own foot (with adequate documentation and shepherding away from
loading the gun).

I believe in security, but also free choice.  When the two seem to
conflict, better education is the answer not removing one's ability to
make choices.  There will always be use cases the smartest can not fathom
which make perfect sense to someone you have not met...no matter how well
intentioned we are, I don't believe controlling someone else's destiny
through force alone is the right path.  In my mind, this applies to
SSL/TLS, NTA, etc.

More information about the dns-operations mailing list