[anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

On Tue 12/Mar/2024 17:24:08 +0100 David Conrad wrote:
> On Mar 12, 2024, at 1:57 AM, Alessandro Vesely <vesely at tana.it> wrote:
>> DNSSEC everywhere would make more sense than HTTPS everywhere, which instead 
>> won the hype. 
> 
> I figure enabling DNSSEC validation everywhere and signing what makes sense 
> after doing a cost/benefit trade off would be the rational way to go.  As 
> signing technologies get more mature, the cost goes down and even the marginal 
> benefit of signing everything would be justified.


Right, and I'd guess the number of operators involved in switching to DNSSEC is 
less than that for HTTPS.


>> Being sure to connect to the IP designated by the
>> domain is essential, while encrypting every page of sites like, say,
>> wikipedia is just wasting cycles.
> 
> As Randy points out, TLS also gives you authentication (as long as you trust 
> the myriad CAs) and with more granularity than the IP address.


Right, and let's note that the chain of trust is hierarchical for DNSSEC, which 
makes for a clear cut PKI.  HTTPS certificate are based on browser/ system/ 
distro/ user policy choices, a rather hazy infrastructure.


> On wasting cycles, if you only encrypt the sensitive stuff, you give away the 
> fact that you’re communicating sensitive stuff when you encrypt.
> 
> However, I suspect this isn’t particularly in the charter of this mailing list…


Well, the OP topic is DNSSEC and _Resource_ Public Key Infrastructure (RPKI), 
which is similar in principle to the domain based hierarchy of DNSSEC.


Best
Ale
--