[Cryptography] Certificates and PKI
Viktor Dukhovni
cryptography at dukhovni.org
Sun Dec 28 10:05:00 EST 2014
On Sat, Dec 27, 2014 at 12:22:21PM -0500, Paul Wouters wrote:
> >CT for parent domains serving entries in what should be a child
> >domain is doable I think.
>
> As someone told me offline, qname minimalization actually solves this
> problem.
This had occured to me, but there are some issues:
* With "_<port>._<proto>.mxhost.example.com" one might
now need to make 5 queries instead of 3, unless there
is way to "tune" minimization. I am concerned about the
impact on latency.
* Validating stub resolvers would need to retrieve each
of the relevant intermediate nodes, increasing the number of
messages sent to the recursive resolver.
* This still might not address denial of existence "spam".
> >I've not been following the "trans" working group, is there a
> >plausible design for CT for DNSSEC, or do the problems look
> >intractable?
>
> That discussion has started, but the WG first wants to focus on the core
> documents and complete those before moving into the other areas such as
> DNSSEC and binary blob transparency.
Thanks for the update. Understood.
--
Viktor.
More information about the cryptography
mailing list