DNSSEC to be strangled at birth.

[kent at songbird.com]

On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
> At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
> >On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
> >>
> >> Control: The root signing key only controls the contents of the root,
> >> not any level below the root.
> >
> >That is, of course, false,
> 
> This is, of course false. In order to control the contents of the 
> second level of the DNS, they have to either change the control of 
> the first level (it's kinda obvious when they take .net away from 
> VeriSign) or they have to sign across the hierarchy (it's kinda 
> obvious when furble.net is signed by someone other than .net).

You're arguement is that DHS couldn't do this covertly, but that's only part
of the picture.  I can imagine scenarios where they do things *overtly*.

[...]

> Because I believe that ISPs, not just security geeks, will be 
> vigilant in watching whether there is any layer-hopping signing and 
> will scream loudly when they see it. AOL and MSN have much more to 
> lose if DHS decides to screw with the DNS than anyone on this list 
> does. Having said that, it is likely that we will be the ones to 
> shoot the signal flares if DHS (or ICANN, for that matter) misuses 
> the root signing key. But it won't be us that causes DHS to stand 
> down or, more likely, get thrown off the root: it's the companies who 
> have billions of dollars to lose if the DNS becomes untrusted.

1) It's untrusted now.
2) The argument could be that they are doing it to make it more trusted.

I agree: highly unlikely.  But not impossible.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com