On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: > > Control: The root signing key only controls the contents of the root, > not any level below the root.
That is, of course, false, and presumably is _exactly_ why DHS wants the root signing key: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. Plus, now that applications are keeping public keys for services in the DNS, one can, in fact, forge those entries and thus conduct man in the middle surveillance on anyone dumb enough to use DNS alone as a trust conveyor for those protocols (e.g. SSH and quite possibly soon HTTPS). I know you understand this stuff well enough to know these risks exist. I'm curious why you'd minimize them. Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]