On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote:

* Allowing deployment of DNSSEC to be blocked in 2002(sic) by blocking a technical change that made it possible to deploy in .com.

As an opponent of DNSSEC opt-in back in the day, I think this is a poor example of NSA influence in the standards process.

I do not challenge PHB's "theory that the NSA has plants in the IETF to discourage moves to strong crypto", particularly given John Gilmore's recent message on IPSEC, but I doubt that the NSA had any real influence on the DNSSEC opt-in debacle of 2003.

First, DNSSEC does not provide confidentiality. Given that, it's not clear to me why the NSA would try to stop or slow its deployment.

Second, as I look at the people who opposed opt-in and the IETF working group chairs who made the decision to kill it, I don't see likely NSA stooges. The list of opponents during working group last call was so short [1] (as compiled by PHB, back in the day) that I thought the working group chairs got the consensus call wrong. The DNSEXT chairs were Randy Bush and Olafur Gudmundsson. In previous years, Olafur had worked for TIS Labs, which had taken plenty of DoD money over the years. Even so, I do not suspect he was influenced by the NSA. Randy has taken money from DHS in more recent years, but I'm even more convinced he was not an NSA stooge. (Randy was the chair issuing the opt-in last call and writing the summary.)

Third, many of the opt-in opponents in 2003 seemed to be pretty convinced that the lowered security guarantees and extra complexity of opt-in were nothing more than a subsidy for Verisign, which could just as well throw more money at the problem of signing its large zones. One might plausibly argue that Verisign's push for opt-in (and its later push for NSEC3) was itself a stalling tactic. One might even go further and say that Verisign initiated such stalling at the behest of the NSA. I would not make that argument, but it is at least as plausible as an argument that the opt-in opponents or WG chairs were NSA stooges.

Lastly, the US DoD was funding some amount of work on DNSSEC at the time (i.e., my own participation). During that timeframe, significant progress was being made on the deployability of DNSSEC, and I think the DoD funding helped. Depending on your whims, you could either credit DoD for helping or blame them for not providing even more funding, which might have made for faster progress.

So, again, while PHB's general theory might have merit, I think the DNSSEC opt-in example is not on point.

Disclosures: I was deeply involved in the IETF's DNSEXT working group during this time, and my funding came from non-NSA bits of DoD. I am not aware of any NSA influence in my funding, and I felt no NSA pressure in the work I was doing. I was a vocal opponent of opt-in, but in the end I chose to "step aside and let it advance".[2]

-- Samuel Weiler

[1] http://marc.info/?l=namedroppers&m=105145468327451&w=2

[2] http://marc.info/?l=namedroppers&m=104874927417175&w=2

The cryptography mailing list

Reply via email to