Is this the first ever practically-deployed use of a threshold scheme?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Aug 2 02:30:10 EDT 2010 

Jerry Leichter <leichter at lrw.com> writes:

>One could certainly screw up the design of a recovery system, but one  
>would have to try.  There really ought not be that much of difference  
>between recovering from m pieces and recovering from one.

There's a *huge* difference, see my previous posting on this the last time the 
topic came up, 
http://www.mail-archive.com/cryptography@metzdowd.com/msg07671.html:

  the cognitive load imposed is just so high that most users can't cope with 
  it, particularly since they're already walking on eggshells because they're 
  working on hardware designed to fail closed (i.e. lock everything out) if 
  you as much as look at it funny.

The last time I went through this exercise for a high-value key, after quite 
some time going through the various implications, by unanimous agreement we 
went with "lock an encrypted copy in two different safes" (this was for an 
organisation with a lot of experience with physical security, and their threat 
assessment was that anyone who could compromise their physical security would 
do far more interesting things with the capability than stealing a key).

For the case of DNSSEC, what would happen if the key was lost?  There'd be a 
bit of turmoil as a new key appeared and maybe some egg-on-face at ICANN, but 
it's not like commercial PKI with certs with 40-year lifetimes hardcoded into 
every browser on the planet is it?  Presumably there's some mechanism for 
getting the root (pubic) key distributed to existing implementations, could 
this be used to roll over the root or is it still a manual config process for 
each server/resolver?  How *is* the bootstrap actually done, presumably you 
need to go from "no certs in resolvers" to "certs in resolvers" through some 
mechanism.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list