----- Forwarded message from Doug Barton <[email protected]> ----- Date: Sun, 08 Sep 2013 15:44:05 -0700 From: Doug Barton <[email protected]> To: [email protected] Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
On 09/08/2013 02:25 AM, Eugen Leitl wrote: > ----- Forwarded message from Gregory Perry <[email protected]> ----- > > Date: Sat, 7 Sep 2013 21:14:47 +0000 > From: Gregory Perry <[email protected]> > To: Phillip Hallam-Baker <[email protected]> > Cc: "[email protected]" <[email protected]>, ianG > <[email protected]> > Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" > > On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote: > > Good theory only the CA industry tried very hard to deploy and was prevented > from doing so because Randy Bush abused his position as DNSEXT chair to > prevent modification of the spec to meet the deployment requirements in .com. > > DNSSEC would have deployed in 2003 with the DNS ATLAS upgrade had the IETF > followed the clear consensus of the DNSEXT working group and approved the > OPT-IN proposal. The code was written and ready to deploy. > > I told the IESG and the IAB that the VeriSign position was no bluff and that > if OPT-IN did not get approved there would be no deployment in .com. A > business is not going to spend $100million on deployment of a feature that > has no proven market demand when the same job can be done for $5 million with > only minor changes. I was also there in 2003, and for a long time before that, and was also one of the voices that was saying that we needed opt-in, and protection from zone walking, or else the thing wouldn't fly. I don't recall that any 1 person was the reason those things didn't happen sooner than they did; in fact I recall near-universal sentiment that zone walking was a non-issue, and that opt-in defeated the very nature of what DNSSEC was trying to accomplish. Fast forward to my time at IANA in 2004 and after considerable behind the scenes organization a coalition of TLD registries came forward and said that they would not deploy DNSSEC without those 2 features, and were willing to dedicate the resources to create them. So it was not 1 person who stopped DNSSEC deployment, and it wasn't 1 person who made it happen. Your larger point about fiefdoms and oligarchies in the IETF is, however, tragically accurate. The blindness of the DNSSEC literati to the real-world needs was a huge part of what caused the delay in deployment on the authoritative side, and the malaise caused by the decade+ of fighting to get it out the door is a big contributor to what's preventing any real solution to the last mile problem (which is what it takes to make DNSSEC really useful). Doug ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
