[Pdns-users] CERT RR?
duane at e164.org
Tue Apr 11 12:14:07 UTC 2006
Marten Lehmann wrote:
> I think the reality is somewhat different if you e.g. look to the
> extensions of GnuPG that have been made recently. Signatures will become
PGP/GPG have been around for a very long time (10-15 yrs?) and made few
if any inroads in the usage of the general internet population...
> very important as it is the only way to verify an identity. The lack of
False assumption, there are many ways to verify an identity, online
social networks prove this all the time through the way people say
things, and what that do... They do this to weed out fake identities for
other reasons, but the idea is the same and can be applied to any number
of things, such as people spamming mailing lists under someone else's
email address (header information help with determination) but digital
IDs do nothing for most people that have a butt load of trojans on their
> S/MIME is, that it requires CAs to issue certs which does cost money and
False, it costs nothing to make a self signed cert, you are paying
anti-pop-up fees for CAs in browsers...
> is very centralised. On the other hand there is PGP which uses a
> web-of-trust which doesn't really work, because in a company you don't
Don't get me started on PGP's model... To sum things up, there is no
consistency, so if you ask what the "web of trust" is to any number of
PGP users and what it means, I'm sure you'd get a variety of different
answers, but at the end of the day you can't gain "trust" from a 10
minute meeting in a pub, at best you verify ID, but unless you re-verify
this has little value, since it's easy to "prove" you are who you say
your are at this moment in time, it's only through re-verification you
prove you still are that identity...
> want your keys to be signed by external keys, but you want to build your
> own hierarchical "web-of-trust" where you sysadmins must be able to
> issue keys but they must be trusted by external parties without being
> signed by 20 other keys to become trusted. Thats what DNS-CERT is
Yet another disparate web ring weeeeeeeee... They scale about that at
most, 20 odd people :)
> invented for: Keys are stored with the domain name so in a way you build
> your own CAs which are verified by the CERT-record of the according
And for those that don't own a domain?
> domain name. I also found a nice article that explains all this, but its
> in German: http://www.heise.de/security/artikel/71726 Maybe you can
> translate it with babelfish or find an English version.
GPG/PGP already have a number of methods of distribution I don't see how
storing this info in DNS will be more useful then say what we're
(e164.org) doing by storing GPG finger prints, or even just email
addresses against phone numbers... Basically people are lazy and will do
whatever is easiest which means digital IDs will be meaningless for the
most part :)
> Thats a completely different story but I can explain it anyway: Certs
> from CAs cost money, a lot of money. SSL is for encrypting sensitive
Snake oil at best, it doesn't cost anything to make a self signed cert...
As for cost specifically, one CA in the browsers root stores were
offering certs for about US$8 at one stage till they figured out people
were using them instead of paying more so they increased the price to
US$15 last time I checked...
> data and increases the load on the webservers. Whats the use of
> encrypting non-sensitive data and paying for a cert if you are hosting
> public information like news, pictures, your blog, personal homepage or
Load on servers is minimal for most people due to increases in CPU
power, it may have been a big issue for most in the past but isn't the
case so much these days. If it is a problem there are a number of
> Sites? Not sites are using SSH but developers working on sites (and
> besides that a can do a lot more with SSH than just updating your
> homepage). I don't know anyone that is using the old telnet but everyone
> is using SSH.
There was a SSL extension to telnet, but that went the way of the dodo,
even though people could have used self signed certs...
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
More information about the Pdns-users