On Tue, 1 Apr 2014, Olafur Gudmundsson wrote:
Over the years I have been saying use keys that are appropriate, thus for someone like Paypal it makes sense to have strong keys, but for my private domain does it matter what key size I use?
That depends. How much money is in your o...@ogud.com paypal account? Seriously though, security strength should not depend on who uses it. Just like opensource software does not tell you for what you can use the software. No one can make consistent judgement calls on that. We already see security that is only available to "important players", like EV certificates, and browser vendors pinning their own certificates, OS vendors hardcoding their IP addresses. It's a position of priviledge. We should not design or deploy to accomodate that. One the of advantages of DNSSEC is that we can give everyone the highest levels of security. Don't make a security economy class. People running giant DNS resolver farms can add a few boxes to their farm. People running resolvers on the stub can take the extra hit for the few domains they are resolving. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
