Surely this is at the point of just being trolling right?
-----Original Message-----
From: DNSOP <[email protected]> On Behalf Of Masataka Ohta
Sent: Thursday, April 14, 2022 12:56 PM
To: Paul Wouters <[email protected]>
Cc: [email protected] WG <[email protected]>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
Paul Wouters wrote:
>> I can't see any reason why you think the root zone is more secure
>> than TLDs, especially because, as I wrote:
>
> Because I am informed about their operational procedures and I
> contributed to the technical design as one of the for the DNS Root
> Zone Key-Signing-Key of the Root Zone Rollover advisory group.
So, you mean the root zone is secure because of "operational procedures",
which is not cryptographic.
Thank you very much to have confirmed my point that DNSSEC is not
cryptographically secure.
Your point is, surely, conclusive.
> I was also responsible for the design and implementation of a large TLD
> fully implementation redundant DNSSEC signer solution.
So, the root and TLD zones are as secure as diginotar.
> I talked to a lot of TLD operators at ICANN during my term as the > IETF
Liason to the ICANN Technical Expert Group.
I'm sure none of them were aware that PKI is not cryptographically secure.
So?
>> : Third, all the CAs, including TLDs, pursuing commercial >> :
success have very good appearance using such words as >> : "HSMs" or "four
eyes minimum". That is, you can't >> : compare actual operational/physical
strength from >> : their formal documents.
>
> This is an anecdote, that a logical reasoned argument.
That's your anecdote to mention "HSMs" or "four eyes minimum"
proven to be useless by diginotar.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
