DNSSEC to be strangled at birth.
Thor Lancelot Simon
tls at rek.tjls.com
Thu Apr 5 19:26:31 EDT 2007
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
>
> Control: The root signing key only controls the contents of the root,
> not any level below the root.
That is, of course, false, and presumably is _exactly_ why DHS wants
the root signing key: because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
Plus, now that applications are keeping public keys for services in
the DNS, one can, in fact, forge those entries and thus conduct man in
the middle surveillance on anyone dumb enough to use DNS alone as a
trust conveyor for those protocols (e.g. SSH and quite possibly soon
HTTPS).
I know you understand this stuff well enough to know these risks exist.
I'm curious why you'd minimize them.
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list