[dns-operations] Implementation of negative trust anchors?

ondrej.sury at nic.cz ondrej.sury at nic.cz
Wed Sep 4 16:37:05 UTC 2013

On 2013-09-04 17:55, Mike Hoskins (michoski) wrote:
> -----Original Message-----
> From: Ondřej Surý <ondrej.sury at nic.cz>
> Date: Wednesday, September 4, 2013 10:37 AM
> To: "WBrown at e1b.org" <WBrown at e1b.org>
> Cc: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
> Subject: Re: [dns-operations] Implementation of negative trust anchors?
>> On 22. 8. 2013, at 21:59, WBrown at e1b.org wrote:
>>> Our browsers give us the option to trust invalid TLS certificates, 
>>> some
>>> even storing it indefinitely.  Is an NTA much different?
>> And in certain circles it's considered by one of the biggest mistakes
>> that could have happened, and the reason why the whole PKI fails so 
>> hard
>> now.
> I just want to point out that vendors or software in general should
> certainly ship secure by default, BUT also give users the option to 
> shoot
> their own foot (with adequate documentation and shepherding away from
> loading the gun).

That could work in community of geeks, but not in consumer electronics.

> I believe in security, but also free choice.

I don't think this is about a free choice, but adhering to the protocol.

> When the two seem to conflict, better education is the answer not 
> removing one's ability to
> make choices.  There will always be use cases the smartest can not 
> fathom
> which make perfect sense to someone you have not met...no matter how 
> well
> intentioned we are, I don't believe controlling someone else's destiny
> through force alone is the right path.  In my mind, this applies to
> SSL/TLS, NTA, etc.

This is not technical, but philosophical question about where do you
draw the line.  Is your bank limiting your free choice by not providing
the options to give free access to your money to random visitors?


More information about the dns-operations mailing list