<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger <span dir="ltr"><<a href="mailto:perry@piermont.com" target="_blank">perry@piermont.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker<br>
<<a href="mailto:hallam@gmail.com" target="_blank">hallam@gmail.com</a>> wrote:<br>
> The Registrars are pure marketing operations. Other than GoDaddy<br>
> which implemented DNSSEC because they are trying to sell the<br>
> business and more tech looks kewl during due diligence, there is<br>
> not a market demand for DNSSEC.<br>
<br>
Not to discuss this particular case, but I often see claims to the<br>
effect that "there is no market demand for security".<br>
<br>
I'd like to note two things about such claims.<br>
<br>
1) Although I don't think P H-B is an NSA plant here, I do<br>
wonder about how often we've heard that in the last decade from<br>
someone trying to reduce security.<br></blockquote><div><br></div><div>There is a market demand for security. But it is always item #3 on the list of priorities and the top two get done.</div><div><br></div><div>I have sold seven figure crypto installations that have remained shelfware.</div>
<div><br></div><div>The moral is that we have to find other market reasons to use security. For example simplifying administration of endpoints. I do not argue like some do that there is no market for security so we should give up, I argue that there is little market for something that only provides security and so to sell security we have to attach it to something they want.</div>
<div><br></div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2) I doubt that safety is, per se, anything the market demands from<br>
cars, food, houses, etc. When people buy such products, they don't<br>
spend much time asking "so, this house, did you make sure it won't<br>
fall down while we're in it and kill my family?" or "this coffee mug,<br>
it doesn't leach arsenic into the coffee does it?"<br></blockquote><div><br></div><div>People buy guns despite statistics that show that they are orders of magnitude more likely to be shot with the gun themselves rather than by an attacker. </div>
<div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
However, if you told consumers "did you know that food manufacturer<br>
X does not test its food for deadly bacteria on the basis that ``there<br>
is no market demand for safety''", they would form a lynch mob.<br>
Consumers *presume* their smart phones will not leak their bank<br>
account data and the like given that there is a banking app for it,<br>
just as they *presume* that their toaster will not electrocute them.<br></blockquote><div><br></div><div>Yes, but most cases the telco will only buy a fix after they have been burned.</div><div><br></div><div>To sell DNSSEC we should provide a benefit to the people who need to do the deployment. Problem is that the perceived benefit is to the people going to the site which is different...</div>
<div><br></div><div><br></div><div>It is fixable, people just need to understand that the stuff does not sell itself.</div></div><div><br></div>-- <br>Website: <a href="http://hallambaker.com/" target="_blank">http://hallambaker.com/</a><br>
</div></div>