Ekr has a very good blog posting on what seems like a bad security decision being made by Verisign on management of the DNS root key.
http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html In summary, a decision is being made to use a "short lived" 1024 bit key for the signature because longer keys would result in excessively large DNS packets. However, such short keys are very likely crackable in short periods of time if the stakes are high enough -- and few keys in existence are this valuable. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
