DNSSEC to be strangled at birth.
kent at songbird.com
kent at songbird.com
Fri Apr 6 10:12:39 EDT 2007
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
> At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
> >On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
> >>
> >> Control: The root signing key only controls the contents of the root,
> >> not any level below the root.
> >
> >That is, of course, false,
>
> This is, of course false. In order to control the contents of the
> second level of the DNS, they have to either change the control of
> the first level (it's kinda obvious when they take .net away from
> VeriSign) or they have to sign across the hierarchy (it's kinda
> obvious when furble.net is signed by someone other than .net).
You're arguement is that DHS couldn't do this covertly, but that's only part
of the picture. I can imagine scenarios where they do things *overtly*.
[...]
> Because I believe that ISPs, not just security geeks, will be
> vigilant in watching whether there is any layer-hopping signing and
> will scream loudly when they see it. AOL and MSN have much more to
> lose if DHS decides to screw with the DNS than anyone on this list
> does. Having said that, it is likely that we will be the ones to
> shoot the signal flares if DHS (or ICANN, for that matter) misuses
> the root signing key. But it won't be us that causes DHS to stand
> down or, more likely, get thrown off the root: it's the companies who
> have billions of dollars to lose if the DNS becomes untrusted.
1) It's untrusted now.
2) The argument could be that they are doing it to make it more trusted.
I agree: highly unlikely. But not impossible.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list