[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Phillip Hallam-Baker hallam at gmail.com
Sun Sep 8 08:40:38 EDT 2013


On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore <gnu at toad.com> wrote:

> > >> First, DNSSEC does not provide confidentiality.  Given that, it's not
> > >> clear to me why the NSA would try to stop or slow its deployment.
>
> DNSSEC authenticates keys that can be used to bootstrap
> confidentiality.  And it does so in a globally distributed, high
> performance, high reliability database that is still without peer in
> the world.
>
> It was never clear to me why DNSSEC took so long to deploy, though
> there was one major moment at an IETF in which a member of the IESG
> told me point blank that Jim Bidzos had made himself so hated that the
> IETF would never approve a standard that required the use of the RSA
> algorithm -- even despite a signed blanket license for use of RSA for
> DNSSEC, and despite the expiration of the patent.  I


No, that part is untrue. I sat at the table with Jeff Schiller and Burt
Kaliski when Burt pitched S/MIME at the IETF. He was Chief Scientist of RSA
Labs at the time.

Jim did go after Phil Z. over PGP initially. But Phil Z. was violating the
patent at the time. That led to RSAREF and the MIT version of PGP.


DNSSEC was (and is) a mess as a standard because it is an attempt to
retrofit a directory designed around some very tight network constraints
and with a very poor architecture to make it into a PKI.

PS: My long-standing domain registrar (enom.com) STILL doesn't support
> DNSSEC records -- which is why toad.com doesn't have DNSSEC
> protection.  Can anybody recommend a good, cheap, reliable domain
> registrar who DOES update their software to support standards from ten
> years ago?


The Registrars are pure marketing operations. Other than GoDaddy which
implemented DNSSEC because they are trying to sell the business and more
tech looks kewl during due diligence, there is not a market demand for
DNSSEC.

One problem is that the Registrars almost invariably sell DNS registrations
at cost or at a loss and make the money up on value added products. In
particular SSL certificates.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130908/9de9f76b/attachment.html>


More information about the cryptography mailing list