I wonder if the DHS has any idea what it's asking for. The news
totally mangled what you might be able to do with that key. Even
people on this list have trouble figuring it out. Perhaps they just
heard about this root key thing, thought it sounded cool and important,
and since they recently watched "Sneakers" they thought they better have

The news articles didn't say whether they wanted to be the only ones
to have it (which they could argue was a good idea because who better
to secure the Internet, but it would mean they would have work to do),
or whether they just wanted a copy (which would be of absolutely no
value defensively - it constitutes a tool for mounting an extremely
difficult and quickly detected attack on the Internet).


p.s. "strangled at birth" seems a bad metaphor. DNSSEC may still be
in diapers, but it turned 10 in January. More like "added another

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
Sent: Friday, April 06, 2007 12:16 PM
To: Nicolas Williams
Cc: Paul Hoffman; [EMAIL PROTECTED]; cryptography@metzdowd.com
Subject: Re: DNSSEC to be strangled at birth.

Nicolas Williams wrote:
 > Which means that the MITM would need the cooperation
 > of the client's provider in many/most cases (a
 > political problem) in order to be able to quickly get
 > in the middle so close to a leaf node (a technical
 > problem).

Not a very large political problem.  Most ISPs not only
roll over for the DOJ, the FBI, and the DHS, they also
roll over for the russian mafias.

With the root key and the cooperation of nodes close to
the client, you can intercept SSH and SSL communications
that rely on DNSSEC.  Without the root key, you cannot.
This is huge.

This, of course, means the sensible man configures SSH
not to rely on DNSSEC by default, which substantially
reduces the benefit of SSH.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
ڦ�j)b����'���r��y��zwb�����r��y���� ��a��&j:+v����sv�r�

Reply via email to