<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org">ietf-dane@dukhovni.org</a>>于2017年12月13日周三 上午3:38写道:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
> On Dec 12, 2017, at 8:11 AM, Phil Regnauld <<a href="mailto:regnauld@nsrc.org" target="_blank">regnauld@nsrc.org</a>> wrote:<br>
><br>
>> My $0.02, find some way to make initial domain acquisition be a<br>
>> more costly longer commitment (perhaps with fees for remaining<br>
>> years transferable between registrars to avoid registrar lock-in).<br>
><br>
> I may be naive, but this bugs me as much as people complaining<br>
> that LetsEncrypt (including soon to be available wildcard certs)<br>
> is somehow undermining the security of the Internet.<br>
><br>
> If something is broken by design, say, SMTP authentication, or<br>
> the whole idea of X.509 CAs, then complaining that more gTLDS<br>
> or free TLS certs is making things worse is like saying that<br>
> higher speed limits on the road make cars more dangerous (yeah,<br>
> analogies suck).<br>
<br>
Well, here we have apples and oranges. Abuse of gTLDs by crooks is a<br>
problem of economic externalities, and calls for an economic solution.<br>
There's no reason to make domain ownership cheap for crooks who cycle<br>
through (10s, 100s, ... of) thousands of domains.<br>
<br>
I personally have no issues at all with LE issuing DV certificates to<br>
all domains, trustworthy or otherwise. TLS provides secure transport,<br>
not an honest peer. If some expect an honest peer, that's a problem<br>
with misleading marketing, and the solution will require updated user<br>
interfaces and training, that do not lull users into a false sense of<br>
"security".<br></blockquote><div><br></div><div>TLS provides secure transport, not an honest peer. +1</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
As for SMTP authentication (I assume you really mean message rather than<br>
transport authentication), that's a difficult architectural issue. Email<br>
delivery is asynchronous, and supports forwarding and redistribution via<br>
lists, ... And list users seem to really prize subject tags and footers<br>
that break digital signatures. No amount of message authentication tech<br>
will stop scams so long as buying and dumping domains by the boatload is<br>
cheap.<br>
<br>
Mind you, many receiving systems are taking matters into their own hands<br>
and blocking a bunch of the new gTLDs wholesale. If they also block<br>
HTTP/HTTPS to those domains, or just configure their resolvers to block<br>
resolution, we end up with a somewhat balkanized DNS, but at least some<br>
economic consequences for gTLDs whose business model is primarily shady<br>
domains.<br>
<br>
--<br>
Viktor.<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div><div dir="ltr">-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">致礼 Best Regards<br><br>潘蓝兰 Pan Lanlan<br></div></div>