[[ Agree with Nico's MITM arguments; different point below ]]
At 10:49 AM -0500 4/6/07, Nicolas Williams wrote:
The DHS would get real value in terms of veto power over new TLDs, IFF it is the only one to possess the root private key. But that's not what the story said, IIRC.
Whoever owns the root key would only get to veto the inclusion of new or current TLDs in the DNSSEC-protected namespace, not in the root itself. No one expects that ICANN will be signing the zone keys for most of the TLDs for many, many years, if for no other reason than those TLDs don't even want to be responsible for protecting their zone key.
The real problem with DHS having these keys in _addition_ to ICANN is that the more fingers in the pie the more likely it is that the key will be breached, leading to key rollover.
Fully agree. It also means that, if there is a breach, the first few days / months will be spent finger-pointing instead of fixing.
--Paul Hoffman, Director --VPN Consortium --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
