On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: > At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: > >On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: > >> > >> Control: The root signing key only controls the contents of the root, > >> not any level below the root. > > > >That is, of course, false, > > This is, of course false. In order to control the contents of the > second level of the DNS, they have to either change the control of > the first level (it's kinda obvious when they take .net away from > VeriSign) or they have to sign across the hierarchy (it's kinda > obvious when furble.net is signed by someone other than .net).
You're arguement is that DHS couldn't do this covertly, but that's only part of the picture. I can imagine scenarios where they do things *overtly*. [...] > Because I believe that ISPs, not just security geeks, will be > vigilant in watching whether there is any layer-hopping signing and > will scream loudly when they see it. AOL and MSN have much more to > lose if DHS decides to screw with the DNS than anyone on this list > does. Having said that, it is likely that we will be the ones to > shoot the signal flares if DHS (or ICANN, for that matter) misuses > the root signing key. But it won't be us that causes DHS to stand > down or, more likely, get thrown off the root: it's the companies who > have billions of dollars to lose if the DNS becomes untrusted. 1) It's untrusted now. 2) The argument could be that they are doing it to make it more trusted. I agree: highly unlikely. But not impossible. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]