On Thu, Dec 05, 2013 at 10:35:30AM -0500,
Russ Mundy <[email protected]> wrote
a message of 67 lines which said:
> I've seen some references on this list saying (essentially) that it
> is a valid assumption that an "attacker" ("unauthorized entity"
> might be a better term) can get or already has the DNS root (& maybe
> .com) private key.
Small fix: I did not say so (the root private key is in an HSM and
presumably, nobody, not even the NSA, can take it out). I said "the
NSA can probably sign arbitrary data with the private key of the
root". In practice, it has the same consequences. But it is a common
mistake when people assert the security of things like domain name
registries. You don't need to hold the private key, you just need the
ability to feed data to the signer and get the result, which is
typically much easier.
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
