-----Original Message----- From: Ondřej Surý <ondrej.s...@nic.cz> Date: Wednesday, September 4, 2013 10:37 AM To: "wbr...@e1b.org" <wbr...@e1b.org> Cc: "dns-operati...@dns-oarc.net" <dns-operati...@dns-oarc.net> Subject: Re: [dns-operations] Implementation of negative trust anchors?
>On 22. 8. 2013, at 21:59, wbr...@e1b.org wrote: >> Our browsers give us the option to trust invalid TLS certificates, some >> even storing it indefinitely. Is an NTA much different? > >And in certain circles it's considered by one of the biggest mistakes >that could have happened, and the reason why the whole PKI fails so hard >now. I just want to point out that vendors or software in general should certainly ship secure by default, BUT also give users the option to shoot their own foot (with adequate documentation and shepherding away from loading the gun). I believe in security, but also free choice. When the two seem to conflict, better education is the answer not removing one's ability to make choices. There will always be use cases the smartest can not fathom which make perfect sense to someone you have not met...no matter how well intentioned we are, I don't believe controlling someone else's destiny through force alone is the right path. In my mind, this applies to SSL/TLS, NTA, etc. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
