On Dec 5, 2013, at 7:27 AM, Phillip Hallam-Baker <[email protected]> wrote: > A better approach is to design the system so that it takes a defection by > more than one party. Instead of relying on just the ICANN root KSK require a > TLD to be signed by three out of five trusted national cryptolabs.
Trusted by whom? E.g., trusted like NIST now? (No disrespect of folks at NIST intended: just observing some may no longer view them as trustable) I personally believe a better approach is to make the operation of the system extremely public and documented such that it doesn't matter who is involved since the risk would be too high that attempts at compromise would be observed. This is what ICANN tried to do with the root KSK (one can argue whether they succeeded). Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
