DNSSEC to be strangled at birth.

Paul Hoffman paul.hoffman at vpnc.org
Fri Apr 6 13:07:27 EDT 2007


[[ Agree with Nico's MITM arguments; different point below ]]

At 10:49 AM -0500 4/6/07, Nicolas Williams wrote:
>The DHS would get real value in terms of veto power over new TLDs, IFF
>it is the only one to possess the root private key.  But that's not what
>the story said, IIRC.

Whoever owns the root key would only get to veto the inclusion of new 
or current TLDs in the DNSSEC-protected namespace, not in the root 
itself. No one expects that ICANN will be signing the zone keys for 
most of the TLDs for many, many years, if for no other reason than 
those TLDs don't even want to be responsible for protecting their 
zone key.

>The real problem with DHS having these keys in _addition_ to ICANN is
>that the more fingers in the pie the more likely it is that the key will
>be breached, leading to key rollover.

Fully agree. It also means that, if there is a breach, the first few 
days / months will be spent finger-pointing instead of fixing.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list