Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:There are 900 .com registrars (Score 1) 77

Right, but if Verisign allows any registrar to update DS records for any domain, and not just the ones they're individually responsible for, then a registrar other than your own could push a malicious DS record for your domain into the TLD where it would be duly signed by Verisign, and you're back to trusting 900 separate registrars rather than just your own authorized registrar and Verisign. The TLD should only allow one registrar to update any given domain.

Comment Re:There are 900 .com registrars (Score 1) 77

There are 900 registrars handling .com, any of which can issue a transfer and change the root DNS servers for any .com domain.

So they don't keep track of which registrars are responsible for which domains? That does seem a bit messed up, if true. My impression was that there was a formal process registrars had to go through to transfer control over a domain name—or does that only restrict domain owners, and not registrars? If the control over .com domains is really as chaotic as you say then that is a separate issue that ought to be addressed independent of DANE or DNSSEC.

Even so, DANE still gives you the benefit of domain validation without the need to deal with a traditional CA as well as your DNSSEC trust chain. You also have the option of choosing a TLD with saner access controls than simply granting 900 separate entities global write access.

Comment Re:"Signed all the way". That's just a different C (Score 1) 77

You still have CA, you've just decided that the CA needs to be the same people who run DNS, because ... well no good reason that I can think of. What does that gain you?

First, this is for Domain Validation certificates only. The normal CA process would still apply if you wanted an EV certificate—though you could restrict your domain to a specific EV certificate for additional security.

If someone has control over your domain records they can already obtain a DV certificate for your domain from just about any CA by redirecting the domain to their own servers. What DANE buys you is all the security you would get with Domain Validation minus the need to deal with two different CAs, one for DNSSEC and another for TLS.

As a bonus, with DANE records for a site "example.com." there are only three entities you need to trust: the domain administrator for "example.com.", the registrar for "com.", and the root authority. In the traditional CA system any CA can issue a certificate for any domain, so you're forced to trust dozens (if not hundreds) of CAs both to maintain the security of their signing keys and to refrain from issuing an unauthorized certificate for your domain. A breach at any one of those CAs can compromise the security of your site.

Comment Re:Here's the actual problem, (Score 1) 191

I've lived as an immigrant and guest worker for much of my life, and I've always understood that immigration is a privilege, that as an immigrant I do not have most of the rights of citizens, and that until I become a citizen, I can be asked to leave at any time.

You're selling yourself short. Your rights are not defined by the government's whims. You have just as much right to be here as anyone born within the geopolitical boundaries of the United States. Anyone who tries to claim otherwise (including the U.S. government) is infringing on your natural rights as a sentient being.

Comment Re:Here's the actual problem, (Score 3, Informative) 191

Hint: this is for Visa applications. That is, for foreigners who aren't allowed to visit America without one, and are supplying this information in their own country.

And it's for Visa applications from people who like to hang out with ISIS, which should be an automatic denial in any sane world.

Comment Re:It won't matter (Score 1) 242

After I switched out the cartridges, I shipped the empty cartridge back in the same box as I got the new cartridge, print out a shipping label and drop it off at the post office. Hence, I "rented" the cartridge and kept the ink.

You're not renting the cartridge; it belongs to you. You may or may not get a credit towards the purchase of a new cartridge if you return your old one for recycling, but there is no penalty for simply keeping it. If you were renting the cartridge you would be obligated to return it eventually, whether or not you wanted a new one.

There are cases where the container for a consumable really is rented; for example, if you need a small quantity of liquid nitrogen you'll generally want to rent a dewar to carry it rather than buying your own. (Liquid nitrogen is relatively cheap, on its own, but the dewars start at several hundred dollars.)

Comment Re:Liability (Score 1) 497

And then just at the moment BigCorp starts to loose [sic], they settle out of court.

Settlements are voluntary and must be accepted by both sides. If the plaintiff doesn't want to settle there isn't anything BigCorp can do about it.

To me, out of court settlements should not mean that the case should be dropped.

What else would it mean? A settlement is nothing more or less than an agreement to drop the case in exchange for some compensation. You could prohibit settlements entirely, but it makes no sense to have an out-of-court settlement where the court continues to hear the case. Even prohibiting settlement would be somewhat problematic since the court relies on the plaintiff to argue their side of the case convincingly—it doesn't really make sense to punish a plaintiff for withdrawing their claims in response to a better offer by the defendant, and the enforcement necessary to prevent the plaintiff from deliberately losing would be difficult at best. Ultimately the court is there to see to it that disagreements are resolved, not to create new ones. If the plaintiff and defendant can resolve their issues on their own with an out-of-court settlement, why should the court interfere?

Comment Re:This is bullcrap (Score 1) 518

The password (like a key to a safe) ...

I think you mean "like a combination to a safe". Passwords aren't like physical keys—they're something you know, not something you have. And unlike physical keys, which can be seized with a warrant, there is no precedent for requiring a suspect to divulge the code to a combination lock.

Comment Re:Destroy code? (Score 1) 518

I doubt that would work in this case as I'm sure LEO images the media and tries to decrypt the images.

You don't wipe the drive itself, you wipe the key stored in the TPM or equivalent (which is tamper-resistant and not easily cloneable). Even with the master password, no one can decrypt the contents of the drive without the active participation of the original TPM. An image of the encrypted drive will not help at all if the TPM can be persuaded to delete the sole copy of the decryption key, for example by providing it with a duress password.

Slashdot Top Deals

Nothing motivates a man more than to see his boss put in an honest day's work.

Working...