[Cryptography] Why are some protocols hard to deploy? (was Re: Opening Discussion: Speculation on "BULLRUN")
Perry E. Metzger
perry at piermont.com
Sun Sep 8 14:24:14 EDT 2013
On Sat, 07 Sep 2013 18:50:06 -0700 John Gilmore <gnu at toad.com> wrote:
> It was never clear to me why DNSSEC took so long to deploy,
[...]
> PS: My long-standing domain registrar (enom.com) STILL doesn't
> support DNSSEC records -- which is why toad.com doesn't have DNSSEC
> protection. Can anybody recommend a good, cheap, reliable domain
> registrar who DOES update their software to support standards from
> ten years ago?
I believe you have answered your own question there, John. Even if we
assume subversion, deployment requires cooperation from too many
people to be fast.
One reason I think it would be good to have future key management
protocols based on very lightweight mechanisms that do not require
assistance from site administrators to deploy is that it makes it
ever so much easier for things to get off the ground. SSH deployed
fast because one didn't need anyone's cooperation to use it -- if you
had root on a server and wanted to log in to it securely, you could
be up and running in minutes.
We need to make more of our systems like that. The problem with
DNSSEC is it is so obviously architecturally "correct" but so
difficult to do deploy without many parties cooperating that it has
acted as an enormous tar baby.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list