Hello, On 04/04/07 19:51, Dave Korn wrote: > The DHS has "requested the master key for the DNS root zone." > > http://www.heise.de/english/newsticker/news/87655 > http://www.theregister.co.uk/2007/04/03/dns_master_key_controversy/ > http://yro.slashdot.org/article.pl?sid=07/03/31/1725221 > > Can anyone seriously imagine countries like Iran or China signing up to a > system that places complete control, surveillance and falsification > capabilities in the hands of the US' military intelligence? I could see some > (but probably not even all) of the European nations accepting the move at face > value and believing whatever assurances of safeguards the DHS might offer, but > the rest of the world....? No way. > > Surely if this goes ahead, it will mean that DNSSEC is doomed to widespread > non-acceptance. And unless it's used everywhere, there's very little point > having it at all.
I guess it's mostly a matter of the expectations that non-US nations have from DNSSEC in the first place. If I understand this correctly, the situation as it would be once DHS has the keys will be no different than what it is today. The US will be able to spoof DNS responses that are resolved within its cloud. To forge a DNS response you need not only to be able to sign as a DNS server, but you also need to be (on the path of) the DNS server that is asked. This is not different than the situation as it is today, and non-US countries still use the Internet. The question is whether or not these non-US countries ever expected DNSSEC to solve their problems with US national surveillance. I have no facts, but I believe that they never did. After all, there is some master key somewhere and this master key is kept by someone (I am not sure if key splitting was ever considered). As far as national intelligence is concerned, there is no difference between having the keys held by a ".org" or by a ".gov". The keys are in some nation's jurisdiction and are thus subject to subpoenas that are enabled by some government with its own legal system that the community has no control over. Be it the US, or the EU, or anyone else. DNSSEC, I think, comes to solve the problem of hackers who fake DNS responses to phish for your credit card details; not against national espionage. And; If you don't expect -- you are not disappointed... Hagai. -- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
