On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of course, false, and presumably is _exactly_ why DHS wants
the root signing key: because, with it, one can sign the
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of course, false,
This is, of course false. In order to control
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
visible to anyone doing active checking. The root signing
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
On Thu, Apr 05, 2007 at 05:30:53PM -0700, Paul Hoffman wrote:
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote:
You're missing the point. The root just signs itself a new .net key,
and then uses that to sign a new furble.net key, and so forth. No
unusual key use is required.
And you
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of
[[ Agree with Nico's MITM arguments; different point below ]]
At 10:49 AM -0500 4/6/07, Nicolas Williams wrote:
The DHS would get real value in terms of veto power over new TLDs, IFF
it is the only one to possess the root private key. But that's not what
the story said, IIRC.
Whoever owns
You assume the new .net key (and what's signed with it) would be
supplied to all users of the DNS, rather than used for a targeted
attack on one user (or a small number of users). Why assume the
potential adversary will restrict himself to the dumbest possible way
to use the new tools you're
On Fri, Apr 06, 2007 at 05:13:00PM -, John Levine wrote:
You assume the new .net key (and what's signed with it) would be
supplied to all users of the DNS, rather than used for a targeted
attack on one user (or a small number of users). Why assume the
potential adversary will restrict
Nicolas Williams wrote:
Which means that the MITM would need the cooperation
of the client's provider in many/most cases (a
political problem) in order to be able to quickly get
in the middle so close to a leaf node (a technical
problem).
Not a very large political problem. Most ISPs not
11 matches
Mail list logo
