On Mon, Mar 2, 2015 at 6:13 AM, Stephane Bortzmeyer <[email protected]> wrote:
> There never was a mention of this working group here, so here it is: > "tcpinc" tries to encrypt all TCP flows, without caring (too much) > about authentication. > > https://datatracker.ietf.org/wg/tcpinc/ > > Together with RFC 5966, could it be a "lightweight" solution for DNS > encryption? > The objective of TCPINC is to provide best effort privacy. We are chartered to provide privacy. That does not look like a good match. Having long experience of trying to persuade browser providers to do OCSP with TLS, I do not see any possibility that DNS over TCP is going to be acceptable to them. I don't care how many graphs are presented showing that TCP is as fast under lab conditions or with a specific stack or with new extensions etc. I would not be convinced and I see no reason why Google is going to be. Reducing the time to load of the first page is a really big deal for the Chrome team. So when people are saying 'DNS over TCP isn't a major overhead' what the Chrome team are probably hearing is 'giving up half your annual bonus to do privacy our way shouldn't be a problem'. I don't think the other big five browser providers are any different. They don't compete on security. Security has never been a priority or we would have done this twenty years ago. The aim here is to write a spec that gets used. Taking short cuts to safe ourselves some dev time is a false economy. The real challenge is deployment.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
