<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_06_05_003253</id>
	<title>ICANN and NIST Announce Plans To Sign the DNS Root</title>
	<author>timothy</author>
	<datestamp>1244204940000</datestamp>
	<htmltext><a href="http://secspider.cs.ucla.edu/" rel="nofollow">jhutkd</a> writes <i>"On June 3rd, 2009, ICANN and NIST
<a href="http://www.icann.org/en/announcements/announcement-2-03jun09-en.htm">announced formal plans</a> <a href="http://www.nist.gov/public\_affairs/releases/dnssec\_060309.html">to use DNSSEC to sign the DNS root zone</a> by the end of 2009.  This is a huge step forward for the deployment of DNSSEC."</i></htmltext>
<tokenext>jhutkd writes " On June 3rd , 2009 , ICANN and NIST announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009 .
This is a huge step forward for the deployment of DNSSEC .
"</tokentext>
<sentencetext>jhutkd writes "On June 3rd, 2009, ICANN and NIST
announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009.
This is a huge step forward for the deployment of DNSSEC.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28230353</id>
	<title>Some possible problems</title>
	<author>jwkckid1</author>
	<datestamp>1244226120000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Two possible if no likely soon to be recognized
problems with this plan.  First Verisign, once
owned by Networksolutions will be the signing
authority for the root servers it currently
manages under contract for the USG, and second
NIST's recently released standard for signing
of these certs for DNSSEC are well known to be
weak amongst security professionals like myself.

Jeffrey A. Williams
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@ix.netcom.com
My Phone: 214-244-4827</htmltext>
<tokenext>Two possible if no likely soon to be recognized problems with this plan .
First Verisign , once owned by Networksolutions will be the signing authority for the root servers it currently manages under contract for the USG , and second NIST 's recently released standard for signing of these certs for DNSSEC are well known to be weak amongst security professionals like myself .
Jeffrey A. Williams CSO/DIR .
Internet Network Eng .
SR. Eng .
Network data security IDNS .
div. of Information Network Eng .
INEG. INC . ABA member in good standing member ID 01257402 E-Mail jwkckid1 @ ix.netcom.com My Phone : 214-244-4827</tokentext>
<sentencetext>Two possible if no likely soon to be recognized
problems with this plan.
First Verisign, once
owned by Networksolutions will be the signing
authority for the root servers it currently
manages under contract for the USG, and second
NIST's recently released standard for signing
of these certs for DNSSEC are well known to be
weak amongst security professionals like myself.
Jeffrey A. Williams
CSO/DIR.
Internet Network Eng.
SR. Eng.
Network data security IDNS.
div. of Information Network Eng.
INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@ix.netcom.com
My Phone: 214-244-4827</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217307</id>
	<title>Re:There is a curious lack of small DNSSEC resolve</title>
	<author>spinkham</author>
	<datestamp>1244123820000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>Windows 7 and Windows Server 2008 R2 have one built in, and <a href="http://www.unbound.net/" title="unbound.net">Unbound</a> [unbound.net] is a smaller DNSSEC aware resolver for Unix like OSs.</p></htmltext>
<tokenext>Windows 7 and Windows Server 2008 R2 have one built in , and Unbound [ unbound.net ] is a smaller DNSSEC aware resolver for Unix like OSs .</tokentext>
<sentencetext>Windows 7 and Windows Server 2008 R2 have one built in, and Unbound [unbound.net] is a smaller DNSSEC aware resolver for Unix like OSs.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217203</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28219011</id>
	<title>Re:So what?</title>
	<author>Phroggy</author>
	<datestamp>1244143080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>They can take all the measures they want to secure the root, if they keep letting unscrupulous registrars sell domains it all will be for naught anyways.  Wake me up if they ever decide that for some reason they feel security and stability are suddenly more important than profit.</p></div><p>DNSSEC won't reduce spam, but it will help to solve other problems.</p></div>
	</htmltext>
<tokenext>They can take all the measures they want to secure the root , if they keep letting unscrupulous registrars sell domains it all will be for naught anyways .
Wake me up if they ever decide that for some reason they feel security and stability are suddenly more important than profit.DNSSEC wo n't reduce spam , but it will help to solve other problems .</tokentext>
<sentencetext>They can take all the measures they want to secure the root, if they keep letting unscrupulous registrars sell domains it all will be for naught anyways.
Wake me up if they ever decide that for some reason they feel security and stability are suddenly more important than profit.DNSSEC won't reduce spam, but it will help to solve other problems.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217639</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217639</id>
	<title>So what?</title>
	<author>damn\_registrars</author>
	<datestamp>1244127480000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>They can take all the measures they want to secure the root, if they keep letting unscrupulous registrars sell domains it all will be for naught anyways.  Wake me up if they ever decide that for some reason they feel security and stability are suddenly more important than profit.</htmltext>
<tokenext>They can take all the measures they want to secure the root , if they keep letting unscrupulous registrars sell domains it all will be for naught anyways .
Wake me up if they ever decide that for some reason they feel security and stability are suddenly more important than profit .</tokentext>
<sentencetext>They can take all the measures they want to secure the root, if they keep letting unscrupulous registrars sell domains it all will be for naught anyways.
Wake me up if they ever decide that for some reason they feel security and stability are suddenly more important than profit.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303</id>
	<title>Re:VeriSign</title>
	<author>Anonymous</author>
	<datestamp>1244123760000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p><i>Wasn't VeriSign the one who set up the brain-dead system where now we all get to pay them (or a few connected competitors) for the privilege to share secure content with https?</i></p><p>You can set up your own secure content with https. But why should the general public trust your certificate? You pay verisign (or another trusted CA) to vouch for your secure content.</p><p>Without someone vouching for your certificate, there is no proof it's yours, and it's spoofable.</p><p>My company has its own CA. It's pushed out to all company computers automatically by domain policy. Works great for internal company sites, but for public sites, we use signed certificates from a real CA.</p><p><i>I hope we do that again for DNS servers!</i></p><p>You got a better idea? Maybe governments or domain registrars would sign certs?</p></htmltext>
<tokenext>Was n't VeriSign the one who set up the brain-dead system where now we all get to pay them ( or a few connected competitors ) for the privilege to share secure content with https ? You can set up your own secure content with https .
But why should the general public trust your certificate ?
You pay verisign ( or another trusted CA ) to vouch for your secure content.Without someone vouching for your certificate , there is no proof it 's yours , and it 's spoofable.My company has its own CA .
It 's pushed out to all company computers automatically by domain policy .
Works great for internal company sites , but for public sites , we use signed certificates from a real CA.I hope we do that again for DNS servers ! You got a better idea ?
Maybe governments or domain registrars would sign certs ?</tokentext>
<sentencetext>Wasn't VeriSign the one who set up the brain-dead system where now we all get to pay them (or a few connected competitors) for the privilege to share secure content with https?You can set up your own secure content with https.
But why should the general public trust your certificate?
You pay verisign (or another trusted CA) to vouch for your secure content.Without someone vouching for your certificate, there is no proof it's yours, and it's spoofable.My company has its own CA.
It's pushed out to all company computers automatically by domain policy.
Works great for internal company sites, but for public sites, we use signed certificates from a real CA.I hope we do that again for DNS servers!You got a better idea?
Maybe governments or domain registrars would sign certs?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218423</id>
	<title>YOU FAILa IT</title>
	<author>Anonymous</author>
	<datestamp>1244136180000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><A HREF="http://goat.cx/" title="goat.cx" rel="nofollow">house... paOthbetic.</a> [goat.cx]</htmltext>
<tokenext>house... paOthbetic. [ goat.cx ]</tokentext>
<sentencetext>house... paOthbetic. [goat.cx]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217531</id>
	<title>Us!</title>
	<author>SEWilco</author>
	<datestamp>1244126100000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext>All your root are belong to us.</htmltext>
<tokenext>All your root are belong to us .</tokentext>
<sentencetext>All your root are belong to us.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217327</id>
	<title>ICANN?</title>
	<author>Anonymous</author>
	<datestamp>1244124000000</datestamp>
	<modclass>Funny</modclass>
	<modscore>5</modscore>
	<htmltext><p>ICANN haz DNSSEC?</p></htmltext>
<tokenext>ICANN haz DNSSEC ?</tokentext>
<sentencetext>ICANN haz DNSSEC?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217615</id>
	<title>Who holds the master key?</title>
	<author>karl.auerbach</author>
	<datestamp>1244126940000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>Who will be the person who gets to hold the master crypto keys used to sign the root zone?</p><p>Somebody, somewhere, has to do this.  Who?</p></htmltext>
<tokenext>Who will be the person who gets to hold the master crypto keys used to sign the root zone ? Somebody , somewhere , has to do this .
Who ?</tokentext>
<sentencetext>Who will be the person who gets to hold the master crypto keys used to sign the root zone?Somebody, somewhere, has to do this.
Who?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28227437</id>
	<title>Domain dispute resolutions</title>
	<author>tepples</author>
	<datestamp>1244195460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>If you went to the DMV and said "Hey, can I have a license for 'Steve Jobs'?" should they reply with "Let me just see if that name is taken yet? Nope, here ya go!" or should they say "Are you Steve Jobs?"</p></div><p>The TLDs have <a href="http://www.icann.org/en/udrp/udrp-policy-24oct99.htm" title="icann.org">dispute resolution policies</a> [icann.org] for that sort of thing. Here's how it normally works:
</p><ol> <li>Example Inc. applies for a trademark registration on EXAMPLE for some sort of good in a developed country.</li><li>Realemain LLC registers the domain EXAMPLE.COM without having registered a trademark for EXAMPLE in any field of goods and services.</li><li>Realemain puts EXAMPLE.COM up for sale or uses the domain for a confusing purpose.</li><li>Example Inc. discovers this and builds a case for Realemain's bad faith and presents it to a WIPO arbitration panel.</li><li>WIPO finds in favor of Example Inc. and orders the registrar to transfer EXAMPLE.COM to Example Inc.</li></ol><p>
In addition, new TLDs often have a "sunrise" period, in which entities need to submit proof of trademark registration in order to register a corresponding domain, before the TLD goes live.</p></div>
	</htmltext>
<tokenext>If you went to the DMV and said " Hey , can I have a license for 'Steve Jobs ' ?
" should they reply with " Let me just see if that name is taken yet ?
Nope , here ya go !
" or should they say " Are you Steve Jobs ?
" The TLDs have dispute resolution policies [ icann.org ] for that sort of thing .
Here 's how it normally works : Example Inc. applies for a trademark registration on EXAMPLE for some sort of good in a developed country.Realemain LLC registers the domain EXAMPLE.COM without having registered a trademark for EXAMPLE in any field of goods and services.Realemain puts EXAMPLE.COM up for sale or uses the domain for a confusing purpose.Example Inc. discovers this and builds a case for Realemain 's bad faith and presents it to a WIPO arbitration panel.WIPO finds in favor of Example Inc. and orders the registrar to transfer EXAMPLE.COM to Example Inc . In addition , new TLDs often have a " sunrise " period , in which entities need to submit proof of trademark registration in order to register a corresponding domain , before the TLD goes live .</tokentext>
<sentencetext>If you went to the DMV and said "Hey, can I have a license for 'Steve Jobs'?
" should they reply with "Let me just see if that name is taken yet?
Nope, here ya go!
" or should they say "Are you Steve Jobs?
"The TLDs have dispute resolution policies [icann.org] for that sort of thing.
Here's how it normally works:
 Example Inc. applies for a trademark registration on EXAMPLE for some sort of good in a developed country.Realemain LLC registers the domain EXAMPLE.COM without having registered a trademark for EXAMPLE in any field of goods and services.Realemain puts EXAMPLE.COM up for sale or uses the domain for a confusing purpose.Example Inc. discovers this and builds a case for Realemain's bad faith and presents it to a WIPO arbitration panel.WIPO finds in favor of Example Inc. and orders the registrar to transfer EXAMPLE.COM to Example Inc.
In addition, new TLDs often have a "sunrise" period, in which entities need to submit proof of trademark registration in order to register a corresponding domain, before the TLD goes live.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217747</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220799</id>
	<title>Re:VeriSign</title>
	<author>Anonymous</author>
	<datestamp>1244208780000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>You're missing the point of SSL somewhat.  To establish a secure connection between two computers, they need to exchange keys.  With public-key encryption, you can both send your public key and no one can intercept the traffic.  As long as you both encrypt with the other's public key, the traffic can only be read with the private key.  </p><p>
A self-signed certificate works in exactly this way.  The problem is that a third party can sit in the middle and carry out the key exchange with both of you.  You both get the intermediary's public key and encrypt with that.  The intermediary decrypts the conversation, reencrypts with the other party's key, and either just records or modifies the plaintext in the middle.</p><p>
This is possible because there is no way of ensuring that the self-signed certificate really comes from the other machine.  Self-signed certs are better than no certs, because they protect you from passive attacks, but they still leave you vulnerable to active attacks.  If you use a third-party CA trusted by the client then the certificate that they receive is signed by the CA's key.  The certificate is not just a public key, it also contains information about the domain name and company name of the remote machine.  If the CA's signature matches then the client can be sure that the remote machine is owned and operated by the people who bought the certificate.  This doesn't prove that it is the machine that they think it is, but it generally shows that there is no intermediary intercepting the communication.</p><p>
This becomes more interesting when you add DNSSEC.  Each DNS zone is signed by the parent zone.  This means that you can trust that everything you get from DNS is definitely set by whoever is meant to be in charge of the DNS zone.  Because DNS can carry arbitrary text strings, not just resolving information, you can put a public key in there and use it to negotiate an SSL connection.  This doesn't require any third-party, which is why companies like Verisign are so hostile to it - it effectively eliminates their business model.</p></htmltext>
<tokenext>You 're missing the point of SSL somewhat .
To establish a secure connection between two computers , they need to exchange keys .
With public-key encryption , you can both send your public key and no one can intercept the traffic .
As long as you both encrypt with the other 's public key , the traffic can only be read with the private key .
A self-signed certificate works in exactly this way .
The problem is that a third party can sit in the middle and carry out the key exchange with both of you .
You both get the intermediary 's public key and encrypt with that .
The intermediary decrypts the conversation , reencrypts with the other party 's key , and either just records or modifies the plaintext in the middle .
This is possible because there is no way of ensuring that the self-signed certificate really comes from the other machine .
Self-signed certs are better than no certs , because they protect you from passive attacks , but they still leave you vulnerable to active attacks .
If you use a third-party CA trusted by the client then the certificate that they receive is signed by the CA 's key .
The certificate is not just a public key , it also contains information about the domain name and company name of the remote machine .
If the CA 's signature matches then the client can be sure that the remote machine is owned and operated by the people who bought the certificate .
This does n't prove that it is the machine that they think it is , but it generally shows that there is no intermediary intercepting the communication .
This becomes more interesting when you add DNSSEC .
Each DNS zone is signed by the parent zone .
This means that you can trust that everything you get from DNS is definitely set by whoever is meant to be in charge of the DNS zone .
Because DNS can carry arbitrary text strings , not just resolving information , you can put a public key in there and use it to negotiate an SSL connection .
This does n't require any third-party , which is why companies like Verisign are so hostile to it - it effectively eliminates their business model .</tokentext>
<sentencetext>You're missing the point of SSL somewhat.
To establish a secure connection between two computers, they need to exchange keys.
With public-key encryption, you can both send your public key and no one can intercept the traffic.
As long as you both encrypt with the other's public key, the traffic can only be read with the private key.
A self-signed certificate works in exactly this way.
The problem is that a third party can sit in the middle and carry out the key exchange with both of you.
You both get the intermediary's public key and encrypt with that.
The intermediary decrypts the conversation, reencrypts with the other party's key, and either just records or modifies the plaintext in the middle.
This is possible because there is no way of ensuring that the self-signed certificate really comes from the other machine.
Self-signed certs are better than no certs, because they protect you from passive attacks, but they still leave you vulnerable to active attacks.
If you use a third-party CA trusted by the client then the certificate that they receive is signed by the CA's key.
The certificate is not just a public key, it also contains information about the domain name and company name of the remote machine.
If the CA's signature matches then the client can be sure that the remote machine is owned and operated by the people who bought the certificate.
This doesn't prove that it is the machine that they think it is, but it generally shows that there is no intermediary intercepting the communication.
This becomes more interesting when you add DNSSEC.
Each DNS zone is signed by the parent zone.
This means that you can trust that everything you get from DNS is definitely set by whoever is meant to be in charge of the DNS zone.
Because DNS can carry arbitrary text strings, not just resolving information, you can put a public key in there and use it to negotiate an SSL connection.
This doesn't require any third-party, which is why companies like Verisign are so hostile to it - it effectively eliminates their business model.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217583</id>
	<title>DNSCurve</title>
	<author>Anonymous</author>
	<datestamp>1244126580000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>I still think DNSCurve would have made more sense, <a href="http://dnscurve.org/dnssec.html" title="dnscurve.org">http://dnscurve.org/dnssec.html</a> [dnscurve.org]</p></htmltext>
<tokenext>I still think DNSCurve would have made more sense , http : //dnscurve.org/dnssec.html [ dnscurve.org ]</tokentext>
<sentencetext>I still think DNSCurve would have made more sense, http://dnscurve.org/dnssec.html [dnscurve.org]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217933</id>
	<title>Re:DNSCurve</title>
	<author>Anonymous</author>
	<datestamp>1244130960000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>I still think DNSCurve would have made more sense, <a href="http://dnscurve.org/dnssec.html" title="dnscurve.org">http://dnscurve.org/dnssec.html</a> [dnscurve.org] </p></div><p>DNSSEC certifies the data, while DNSCurve only certifies the connection between the DNS server and the resolver.</p><p>With DNSSEC, you know that the DNS records you receive are correct.</p><p>With DNSCurve, your ISP's caching resolver  knows that it is talking to the proper DNS server. You do not know that you are talking to your ISP's resolver instead of an imposter, and you do not know if your ISP is forwarding the records accurately.</p><p>DNSSEC can be used for interesting things like distributing public keys. DNSCurve cannot, because it still requires you to trust your ISP and your ISP's network. (Or alternatively it would require that shared caching resolvers not be used, which would cause a major increase in traffic to the authoritative servers.)</p></div>
	</htmltext>
<tokenext>I still think DNSCurve would have made more sense , http : //dnscurve.org/dnssec.html [ dnscurve.org ] DNSSEC certifies the data , while DNSCurve only certifies the connection between the DNS server and the resolver.With DNSSEC , you know that the DNS records you receive are correct.With DNSCurve , your ISP 's caching resolver knows that it is talking to the proper DNS server .
You do not know that you are talking to your ISP 's resolver instead of an imposter , and you do not know if your ISP is forwarding the records accurately.DNSSEC can be used for interesting things like distributing public keys .
DNSCurve can not , because it still requires you to trust your ISP and your ISP 's network .
( Or alternatively it would require that shared caching resolvers not be used , which would cause a major increase in traffic to the authoritative servers .
)</tokentext>
<sentencetext>I still think DNSCurve would have made more sense, http://dnscurve.org/dnssec.html [dnscurve.org] DNSSEC certifies the data, while DNSCurve only certifies the connection between the DNS server and the resolver.With DNSSEC, you know that the DNS records you receive are correct.With DNSCurve, your ISP's caching resolver  knows that it is talking to the proper DNS server.
You do not know that you are talking to your ISP's resolver instead of an imposter, and you do not know if your ISP is forwarding the records accurately.DNSSEC can be used for interesting things like distributing public keys.
DNSCurve cannot, because it still requires you to trust your ISP and your ISP's network.
(Or alternatively it would require that shared caching resolvers not be used, which would cause a major increase in traffic to the authoritative servers.
)
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217583</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218107</id>
	<title>The root zone is already signed</title>
	<author>Anonymous</author>
	<datestamp>1244132880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You can already download the root zone from http://www.internic.net/domain/, verify its GPG signature, and then configure your DNS cache to use the file instead of contacting the root servers.  Just setup a cron job to automatically update and re-verify the file once a month.  DNS queries will even resolve faster because you won't have to contact the root servers!</p></htmltext>
<tokenext>You can already download the root zone from http : //www.internic.net/domain/ , verify its GPG signature , and then configure your DNS cache to use the file instead of contacting the root servers .
Just setup a cron job to automatically update and re-verify the file once a month .
DNS queries will even resolve faster because you wo n't have to contact the root servers !</tokentext>
<sentencetext>You can already download the root zone from http://www.internic.net/domain/, verify its GPG signature, and then configure your DNS cache to use the file instead of contacting the root servers.
Just setup a cron job to automatically update and re-verify the file once a month.
DNS queries will even resolve faster because you won't have to contact the root servers!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217295</id>
	<title>Re:VeriSign</title>
	<author>Anonymous</author>
	<datestamp>1244123700000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>There are no certs, just signed DNS records. All DNS records which are published in a DNSSEC enabled zone (the root "." zone in this case) are signed with the public key of that zone. The public key of a delegated zone is just another record. There is nothing special about it which could justify an extra charge.</p><p>The additional cost of installing and maintaining the DNSSEC system is incurred for the zone as a whole. There is no individual authentication overhead beyond what is already necessary to make sure that only the domain owner can change the delegation records of a domain.</p></htmltext>
<tokenext>There are no certs , just signed DNS records .
All DNS records which are published in a DNSSEC enabled zone ( the root " .
" zone in this case ) are signed with the public key of that zone .
The public key of a delegated zone is just another record .
There is nothing special about it which could justify an extra charge.The additional cost of installing and maintaining the DNSSEC system is incurred for the zone as a whole .
There is no individual authentication overhead beyond what is already necessary to make sure that only the domain owner can change the delegation records of a domain .</tokentext>
<sentencetext>There are no certs, just signed DNS records.
All DNS records which are published in a DNSSEC enabled zone (the root ".
" zone in this case) are signed with the public key of that zone.
The public key of a delegated zone is just another record.
There is nothing special about it which could justify an extra charge.The additional cost of installing and maintaining the DNSSEC system is incurred for the zone as a whole.
There is no individual authentication overhead beyond what is already necessary to make sure that only the domain owner can change the delegation records of a domain.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28219297</id>
	<title>Thanks to all ya'all for making it happen.</title>
	<author>Anonymous</author>
	<datestamp>1244233740000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Good to see the USoA has, as usual, ignored all complaints from everywhere else (the world population is 300-odd million and some scary brown people in a desert somewhere, right? right?) and is going right ahead breaking one more promise, this time not to meddle with everyone's internet.</p><p>Thanks to all ya'all for making it happen.</p></htmltext>
<tokenext>Good to see the USoA has , as usual , ignored all complaints from everywhere else ( the world population is 300-odd million and some scary brown people in a desert somewhere , right ?
right ? ) and is going right ahead breaking one more promise , this time not to meddle with everyone 's internet.Thanks to all ya'all for making it happen .</tokentext>
<sentencetext>Good to see the USoA has, as usual, ignored all complaints from everywhere else (the world population is 300-odd million and some scary brown people in a desert somewhere, right?
right?) and is going right ahead breaking one more promise, this time not to meddle with everyone's internet.Thanks to all ya'all for making it happen.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217801</id>
	<title>Re:VeriSign</title>
	<author>GodfatherofSoul</author>
	<datestamp>1244129580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p> <i>You got a better idea? Maybe governments or domain registrars would sign certs?</i> </p><p>Yes</p></htmltext>
<tokenext>You got a better idea ?
Maybe governments or domain registrars would sign certs ?
Yes</tokentext>
<sentencetext> You got a better idea?
Maybe governments or domain registrars would sign certs?
Yes</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217747</id>
	<title>Re:Yeah, that'll help</title>
	<author>QuantumG</author>
	<datestamp>1244128740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Great, so take a system with the motto of "you got here first and have paid" and make it the basis of an identification system.  Think about that.  If you went to the DMV and said "Hey, can I have a license for 'Steve Jobs'?" should they reply with "Let me just see if that name is taken yet?  Nope, here ya go!" or should they say "Are you Steve Jobs?"</p></htmltext>
<tokenext>Great , so take a system with the motto of " you got here first and have paid " and make it the basis of an identification system .
Think about that .
If you went to the DMV and said " Hey , can I have a license for 'Steve Jobs ' ?
" should they reply with " Let me just see if that name is taken yet ?
Nope , here ya go !
" or should they say " Are you Steve Jobs ?
"</tokentext>
<sentencetext>Great, so take a system with the motto of "you got here first and have paid" and make it the basis of an identification system.
Think about that.
If you went to the DMV and said "Hey, can I have a license for 'Steve Jobs'?
" should they reply with "Let me just see if that name is taken yet?
Nope, here ya go!
" or should they say "Are you Steve Jobs?
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217559</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28222561</id>
	<title>Re:First root</title>
	<author>FredFredrickson</author>
	<datestamp>1244217360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>You know what would fix the "first post syndrome? Just a simple word count requirement with a count-down timer and a filter for particular words.. if any variation of URLS or FIRST or FROSTY PISS show up, it requires you to wait 2 minutes before submitting. It would be a gamble, and you would unlikely end up the first post troll- and it would cut down on the desire to do it, since it's rarely possible. More often relevant posts would end up #1, even though they clicked submit later.</htmltext>
<tokenext>You know what would fix the " first post syndrome ?
Just a simple word count requirement with a count-down timer and a filter for particular words.. if any variation of URLS or FIRST or FROSTY PISS show up , it requires you to wait 2 minutes before submitting .
It would be a gamble , and you would unlikely end up the first post troll- and it would cut down on the desire to do it , since it 's rarely possible .
More often relevant posts would end up # 1 , even though they clicked submit later .</tokentext>
<sentencetext>You know what would fix the "first post syndrome?
Just a simple word count requirement with a count-down timer and a filter for particular words.. if any variation of URLS or FIRST or FROSTY PISS show up, it requires you to wait 2 minutes before submitting.
It would be a gamble, and you would unlikely end up the first post troll- and it would cut down on the desire to do it, since it's rarely possible.
More often relevant posts would end up #1, even though they clicked submit later.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217091</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218451</id>
	<title>Re:VeriSign</title>
	<author>complete loony</author>
	<datestamp>1244136420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>You got a better idea?</p></div><p>Yep. Once you've got DNSSEC you can publish a self signed cert in your DNS records (or public key or whatever standard people can agree on). Then you just need client support to fetch the details from DNS when connecting to the host over SSL.</p></div>
	</htmltext>
<tokenext>You got a better idea ? Yep .
Once you 've got DNSSEC you can publish a self signed cert in your DNS records ( or public key or whatever standard people can agree on ) .
Then you just need client support to fetch the details from DNS when connecting to the host over SSL .</tokentext>
<sentencetext>You got a better idea?Yep.
Once you've got DNSSEC you can publish a self signed cert in your DNS records (or public key or whatever standard people can agree on).
Then you just need client support to fetch the details from DNS when connecting to the host over SSL.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28230257</id>
	<title>Re:VeriSign</title>
	<author>cdhgee</author>
	<datestamp>1244224980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>You forgot your opening &lt;snark&gt; tag<nobr> <wbr></nobr>:-P</htmltext>
<tokenext>You forgot your opening tag : -P</tokentext>
<sentencetext>You forgot your opening  tag :-P</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28223241</id>
	<title>Re:Who holds the master key?</title>
	<author>Anonymous</author>
	<datestamp>1244219880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Ooooo,  oooooo!   Me!  Can I hold them?!</p></htmltext>
<tokenext>Ooooo , oooooo !
Me ! Can I hold them ?
!</tokentext>
<sentencetext>Ooooo,  oooooo!
Me!  Can I hold them?
!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217615</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217539</id>
	<title>Yuo 7ail it</title>
	<author>Anonymous</author>
	<datestamp>1244126100000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><A HREF="http://goat.cx/" title="goat.cx" rel="nofollow">despiTe the</a> [goat.cx]</htmltext>
<tokenext>despiTe the [ goat.cx ]</tokentext>
<sentencetext>despiTe the [goat.cx]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220979</id>
	<title>Signed = value</title>
	<author>halcyon1234</author>
	<datestamp>1244209920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>They're going to start signing them!  Awesome.  Signed things automatically double in value.  I'm going to get a bunch of them now, then hold onto them until ICANN and NIST die.  Then they'll double in value again, and I'm in the profits!</htmltext>
<tokenext>They 're going to start signing them !
Awesome. Signed things automatically double in value .
I 'm going to get a bunch of them now , then hold onto them until ICANN and NIST die .
Then they 'll double in value again , and I 'm in the profits !</tokentext>
<sentencetext>They're going to start signing them!
Awesome.  Signed things automatically double in value.
I'm going to get a bunch of them now, then hold onto them until ICANN and NIST die.
Then they'll double in value again, and I'm in the profits!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220583</id>
	<title>Re:Yeah, that'll help</title>
	<author>Anonymous</author>
	<datestamp>1244206980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Identity verification is a non-goal of SSL.  The purpose of having a cert signed is so that someone receiving a cert claiming to be from <a href="http://joessite.com/" title="joessite.com">http://joessite.com/</a> [joessite.com] can be sure it's <i>actually</i> from the person who controls joessite.com, and not someone trying to MITM you.
<br> <br>
Whether that's Joe or not is not an addressed issue.</htmltext>
<tokenext>Identity verification is a non-goal of SSL .
The purpose of having a cert signed is so that someone receiving a cert claiming to be from http : //joessite.com/ [ joessite.com ] can be sure it 's actually from the person who controls joessite.com , and not someone trying to MITM you .
Whether that 's Joe or not is not an addressed issue .</tokentext>
<sentencetext>Identity verification is a non-goal of SSL.
The purpose of having a cert signed is so that someone receiving a cert claiming to be from http://joessite.com/ [joessite.com] can be sure it's actually from the person who controls joessite.com, and not someone trying to MITM you.
Whether that's Joe or not is not an addressed issue.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217593</id>
	<title>the problem with securing DNS is the DNS is secure</title>
	<author>Anonymous</author>
	<datestamp>1244126700000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext>The big problem with DNSSEC, if widely used, is that it prevents forgery of DNS responses.   ISPs and internet cafes will not like this, since that means they can no longer forget DNS replies to missing domains or to force people through registration pages.   I can see a *LOT* of push-back from having end-users using DNSSEC.</htmltext>
<tokenext>The big problem with DNSSEC , if widely used , is that it prevents forgery of DNS responses .
ISPs and internet cafes will not like this , since that means they can no longer forget DNS replies to missing domains or to force people through registration pages .
I can see a * LOT * of push-back from having end-users using DNSSEC .</tokentext>
<sentencetext>The big problem with DNSSEC, if widely used, is that it prevents forgery of DNS responses.
ISPs and internet cafes will not like this, since that means they can no longer forget DNS replies to missing domains or to force people through registration pages.
I can see a *LOT* of push-back from having end-users using DNSSEC.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217765</id>
	<title>Re:VeriSign</title>
	<author>Anonymous</author>
	<datestamp>1244128980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>I have an idea! We could sign the root with DNSSEC, then we wouldn't have any of those problems. Now, I wonder why no one else has thought of that.</p><p>Oh, wait...</p></htmltext>
<tokenext>I have an idea !
We could sign the root with DNSSEC , then we would n't have any of those problems .
Now , I wonder why no one else has thought of that.Oh , wait.. .</tokentext>
<sentencetext>I have an idea!
We could sign the root with DNSSEC, then we wouldn't have any of those problems.
Now, I wonder why no one else has thought of that.Oh, wait...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218295</id>
	<title>Re:VeriSign</title>
	<author>JanneM</author>
	<datestamp>1244134980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>You got a better idea? Maybe governments or domain registrars would sign certs?</i></p><p>Governments are the entities signing off on other forms of identification. So why not this?</p></htmltext>
<tokenext>You got a better idea ?
Maybe governments or domain registrars would sign certs ? Governments are the entities signing off on other forms of identification .
So why not this ?</tokentext>
<sentencetext>You got a better idea?
Maybe governments or domain registrars would sign certs?Governments are the entities signing off on other forms of identification.
So why not this?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220881</id>
	<title>Re:There is a curious lack of small DNSSEC resolve</title>
	<author>hey</author>
	<datestamp>1244209320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Unbound is included in Fedora 10.<br>So "yum install unbound" gets it.</p></htmltext>
<tokenext>Unbound is included in Fedora 10.So " yum install unbound " gets it .</tokentext>
<sentencetext>Unbound is included in Fedora 10.So "yum install unbound" gets it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217307</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217091</id>
	<title>First root</title>
	<author>Anonymous</author>
	<datestamp>1244122200000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><p>First root</p></htmltext>
<tokenext>First root</tokentext>
<sentencetext>First root</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217559</id>
	<title>Re:Yeah, that'll help</title>
	<author>blueg3</author>
	<datestamp>1244126340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yes, that is exactly the problem signing the DNS root zone is solving -- SSL certificates.</p><p>Pro tip: not all cryptographic and security systems on the Internet are necessarily SSL.</p></htmltext>
<tokenext>Yes , that is exactly the problem signing the DNS root zone is solving -- SSL certificates.Pro tip : not all cryptographic and security systems on the Internet are necessarily SSL .</tokentext>
<sentencetext>Yes, that is exactly the problem signing the DNS root zone is solving -- SSL certificates.Pro tip: not all cryptographic and security systems on the Internet are necessarily SSL.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213</id>
	<title>VeriSign</title>
	<author>Anonymous</author>
	<datestamp>1244123100000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>Wasn't VeriSign the one who set up the brain-dead system where now we all get to pay them (or a few connected competitors) for the privilege to share secure content with https?</p><p>I hope we do that again for DNS servers!</p><p>&lt;/snark&gt;</p><p>But seriously, what's the busines model for maintaining the certs?</p></htmltext>
<tokenext>Was n't VeriSign the one who set up the brain-dead system where now we all get to pay them ( or a few connected competitors ) for the privilege to share secure content with https ? I hope we do that again for DNS servers ! But seriously , what 's the busines model for maintaining the certs ?</tokentext>
<sentencetext>Wasn't VeriSign the one who set up the brain-dead system where now we all get to pay them (or a few connected competitors) for the privilege to share secure content with https?I hope we do that again for DNS servers!But seriously, what's the busines model for maintaining the certs?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28223601</id>
	<title>Re:Who holds the master key?</title>
	<author>BaseSequence</author>
	<datestamp>1244221200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Who will be the person who gets to hold the master crypto keys used to sign the root zone?</p><p>Somebody, somewhere, has to do this.  Who?</p></div><p>...Gandalf and Elrond look pointedly at Frodo...</p></div>
	</htmltext>
<tokenext>Who will be the person who gets to hold the master crypto keys used to sign the root zone ? Somebody , somewhere , has to do this .
Who ? ...Gandalf and Elrond look pointedly at Frodo.. .</tokentext>
<sentencetext>Who will be the person who gets to hold the master crypto keys used to sign the root zone?Somebody, somewhere, has to do this.
Who?...Gandalf and Elrond look pointedly at Frodo...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217615</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28224469</id>
	<title>Re:Yeah, that'll help</title>
	<author>???</author>
	<datestamp>1244224440000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>Please name such a CA which "happily hand over valid certs to anyone with a credit card" and does not "take reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf" and which is trusted by the major browsers.</p><p>And then, perhaps, explain why you feel this is in \_any\_ way relevant to a discussion on DNSSEC.</p><p>Though, I suppose, this is Slashdot.  Why post based on relevant facts rather than baseless, off-topic innuendo?</p></htmltext>
<tokenext>Please name such a CA which " happily hand over valid certs to anyone with a credit card " and does not " take reasonable measures to verify that the entity submitting the certificate signing request has registered the domain ( s ) referenced in the certificate or has been authorized by the domain registrant to act on the registrant 's behalf " and which is trusted by the major browsers.And then , perhaps , explain why you feel this is in \ _any \ _ way relevant to a discussion on DNSSEC.Though , I suppose , this is Slashdot .
Why post based on relevant facts rather than baseless , off-topic innuendo ?</tokentext>
<sentencetext>Please name such a CA which "happily hand over valid certs to anyone with a credit card" and does not "take reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf" and which is trusted by the major browsers.And then, perhaps, explain why you feel this is in \_any\_ way relevant to a discussion on DNSSEC.Though, I suppose, this is Slashdot.
Why post based on relevant facts rather than baseless, off-topic innuendo?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217203</id>
	<title>There is a curious lack of small DNSSEC resolvers</title>
	<author>Anonymous</author>
	<datestamp>1244123040000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>0</modscore>
	<htmltext><p>...or am I just not seeing the forest for the trees? There's BIND, but that seems a little excessive for a personal recursive resolver. The small ones don't seem to even have DNSSEC support on the short term agenda. What to do?</p></htmltext>
<tokenext>...or am I just not seeing the forest for the trees ?
There 's BIND , but that seems a little excessive for a personal recursive resolver .
The small ones do n't seem to even have DNSSEC support on the short term agenda .
What to do ?</tokentext>
<sentencetext>...or am I just not seeing the forest for the trees?
There's BIND, but that seems a little excessive for a personal recursive resolver.
The small ones don't seem to even have DNSSEC support on the short term agenda.
What to do?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217353</id>
	<title>Re:Yeah, that'll help</title>
	<author>Anonymous</author>
	<datestamp>1244124240000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>That's off topic, isn't it? Anyway, DNSSEC has the potential to replace these certificates which only prove that you control the domain, and it will do it for free. So yes, that will indeed help.</p><p>(If you're wondering how: DNSSEC establishes a trust hierarchy, just like the trust hierarchy of SSL certificate authorities. This enables DNS to deliver authenticated public keys which could be used for SSL connections, replacing the keys in SSL certificates.)</p></htmltext>
<tokenext>That 's off topic , is n't it ?
Anyway , DNSSEC has the potential to replace these certificates which only prove that you control the domain , and it will do it for free .
So yes , that will indeed help .
( If you 're wondering how : DNSSEC establishes a trust hierarchy , just like the trust hierarchy of SSL certificate authorities .
This enables DNS to deliver authenticated public keys which could be used for SSL connections , replacing the keys in SSL certificates .
)</tokentext>
<sentencetext>That's off topic, isn't it?
Anyway, DNSSEC has the potential to replace these certificates which only prove that you control the domain, and it will do it for free.
So yes, that will indeed help.
(If you're wondering how: DNSSEC establishes a trust hierarchy, just like the trust hierarchy of SSL certificate authorities.
This enables DNS to deliver authenticated public keys which could be used for SSL connections, replacing the keys in SSL certificates.
)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305</id>
	<title>Yeah, that'll help</title>
	<author>QuantumG</author>
	<datestamp>1244123760000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>The problem is that there are SSL cert providers who will happily hand over valid certs to anyone with a credit card, and browsers are configured to automatically trust these bozos.  And the ones that are actually diligent in checking credentials will happily hand over username/password for web administration of the domain to anyone who knows the date of birth of the current registrant.</p></htmltext>
<tokenext>The problem is that there are SSL cert providers who will happily hand over valid certs to anyone with a credit card , and browsers are configured to automatically trust these bozos .
And the ones that are actually diligent in checking credentials will happily hand over username/password for web administration of the domain to anyone who knows the date of birth of the current registrant .</tokentext>
<sentencetext>The problem is that there are SSL cert providers who will happily hand over valid certs to anyone with a credit card, and browsers are configured to automatically trust these bozos.
And the ones that are actually diligent in checking credentials will happily hand over username/password for web administration of the domain to anyone who knows the date of birth of the current registrant.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220881
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217307
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217203
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28223601
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217615
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28222561
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217091
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220799
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217765
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217295
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28223241
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217615
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218451
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220583
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28219011
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217639
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28227437
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217747
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217559
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28224469
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218295
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217801
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217933
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217583
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28230257
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_05_003253_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217353
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217213
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217295
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28230257
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217303
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217801
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218451
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220799
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217765
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218295
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217615
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28223241
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28223601
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217639
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28219011
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217305
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217353
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28224469
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220583
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217559
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217747
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28227437
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28218107
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217583
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217933
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217091
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28222561
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217327
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217531
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217203
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217307
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28220881
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_05_003253.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_05_003253.28217593
</commentlist>
</conversation>
