On Sat, Feb 15, 2014 at 8:44 AM, Watson Ladd <watsonbl...@gmail.com> wrote:
> Dear all, > This proposal has multiple shortcomings compared to DNSCurve. > And some advantages over DNSCurve. > First off, it says that the rationale for TLS over DNSCurve is simply > to "take advantage of TLS". I would respectfully submit that DJB can > do a better job than the TLS committee, and did. Merely adding bolts > and nuts onto a design is not improving it. > That is a value judgement that cannot be measured. While DJB's crypto algorithms have been widely adopted, his crypto protocols have not. Secondly, this proposal only works on TCP. This imposes latency and > state requirements that most people would rather avoid. The use of > keepalive only addresses computational burden, not state burden, and > with the DH speed records we have today unnecessary. > That is a measureable criticism. Note that DNSCurve trades latency and state for massive amounts more computation by parties who might not care to do any. Even after many years, there has been no noticeable interest in DNSCurve from those whom that protocol would hit the hardest. > Thirdly, this proposal ignores entirely how to validate the server > over the TLS connection. True. > Does it need a certificate? No. > Who should be > allowed to sign it? "Allowed"? Are we now the identity police? > How should it be validated? Using TLS authentication. > DNSSEC provides a PKI, > and this proposal provides another one. Their interactions will not be > fun. > They in fact might be fun; they have barely been explored. > Fourthly, there is substantial operational knowledge and deployed, > working, code implementing DNSCurve. This does not hold for this > proposal. > > > I question "substantial" and "operational" at the level that is expected for this protocol. Regardless, there is substantial operational knowledge of TLS that dwarfs whatever has been done for DNSCurve. --Paul Hoffman
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
