On Thu, Dec 5, 2013 at 10:18 AM, Randy Bush <[email protected]> wrote: > > If we assume the attacker can get the private root KSK from an US-based > > corp, then we should also assume they can get the private root ZSK from > > another US-based corp. As the owner of the root ZSK also owns the keys > > for .com, the attack becomes much easier. > > let's start a list of juristictions which we believe are NOT compromised > and dangerous. i will start it off by submitting andorra. >
Finding the one person you can trust is a bad strategy. Andorra is considerably less likely to stand up to NSA bullying attempts than Microsoft is. Microsoft certainly has more lawyers. A better approach is to design the system so that it takes a defection by more than one party. Instead of relying on just the ICANN root KSK require a TLD to be signed by three out of five trusted national cryptolabs. -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
