[Pdns-users] CERT RR?

Duane duane at e164.org
Tue Apr 11 12:14:07 UTC 2006

Marten Lehmann wrote:

> I think the reality is somewhat different if you e.g. look to the 
> extensions of GnuPG that have been made recently. Signatures will become 

PGP/GPG have been around for a very long time (10-15 yrs?) and made few 
if any inroads in the usage of the general internet population...

> very important as it is the only way to verify an identity. The lack of 

False assumption, there are many ways to verify an identity, online 
social networks prove this all the time through the way people say 
things, and what that do... They do this to weed out fake identities for 
other reasons, but the idea is the same and can be applied to any number 
of things, such as people spamming mailing lists under someone else's 
email address (header information help with determination) but digital 
IDs do nothing for most people that have a butt load of trojans on their 

> S/MIME is, that it requires CAs to issue certs which does cost money and 

False, it costs nothing to make a self signed cert, you are paying 
anti-pop-up fees for CAs in browsers...

> is very centralised. On the other hand there is PGP which uses a 
> web-of-trust which doesn't really work, because in a company you don't 

Don't get me started on PGP's model... To sum things up, there is no 
consistency, so if you ask what the "web of trust" is to any number of 
PGP users and what it means, I'm sure you'd get a variety of different 
answers, but at the end of the day you can't gain "trust" from a 10 
minute meeting in a pub, at best you verify ID, but unless you re-verify 
this has little value, since it's easy to "prove" you are who you say 
your are at this moment in time, it's only through re-verification you 
prove you still are that identity...

> want your keys to be signed by external keys, but you want to build your 
> own hierarchical "web-of-trust" where you sysadmins must be able to 
> issue keys but they must be trusted by external parties without being 
> signed by 20 other keys to become trusted. Thats what DNS-CERT is 

Yet another disparate web ring weeeeeeeee... They scale about that at 
most, 20 odd people :)

> invented for: Keys are stored with the domain name so in a way you build 
> your own CAs which are verified by the CERT-record of the according 

And for those that don't own a domain?

> domain name. I also found a nice article that explains all this, but its 
> in German: http://www.heise.de/security/artikel/71726 Maybe you can 
> translate it with babelfish or find an English version.

GPG/PGP already have a number of methods of distribution I don't see how 
storing this info in DNS will be more useful then say what we're 
(e164.org) doing by storing GPG finger prints, or even just email 
addresses against phone numbers... Basically people are lazy and will do 
whatever is easiest which means digital IDs will be meaningless for the 
most part :)

> Thats a completely different story but I can explain it anyway: Certs 
> from CAs cost money, a lot of money. SSL is for encrypting sensitive 

Snake oil at best, it doesn't cost anything to make a self signed cert...

As for cost specifically, one CA in the browsers root stores were 
offering certs for about US$8 at one stage till they figured out people 
were using them instead of paying more so they increased the price to 
US$15 last time I checked...

> data and increases the load on the webservers. Whats the use of 
> encrypting non-sensitive data and paying for a cert if you are hosting 
> public information like news, pictures, your blog, personal homepage or 
> whatever?

Load on servers is minimal for most people due to increases in CPU 
power, it may have been a big issue for most in the past but isn't the 
case so much these days. If it is a problem there are a number of 
hardware accelerators...

> Sites? Not sites are using SSH but developers working on sites (and 
> besides that a can do a lot more with SSH than just updating your 
> homepage). I don't know anyone that is using the old telnet but everyone 
> is using SSH.

There was a SSL extension to telnet, but that went the way of the dodo, 
even though people could have used self signed certs...


Best regards,

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP

"In the long run the pessimist may be proved right,
     but the optimist has a better time on the trip."

More information about the Pdns-users mailing list