RE: DNSSEC to be strangled at birth.

2007-04-07 Thread Charlie Kaufman
I wonder if the DHS has any idea what it's asking for. The news totally mangled what you might be able to do with that key. Even people on this list have trouble figuring it out. Perhaps they just heard about this root key thing, thought it sounded cool and important, and since they recently

RE: DNSSEC to be strangled at birth.

2007-04-07 Thread Dave Korn
On 06 April 2007 00:50, Paul Hoffman wrote: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. If the owner of any key signs below their level, it is immediately visible to anyone doing active checking. Only if they get sent that

Re: DNSSEC to be strangled at birth.

2007-04-07 Thread Anne Lynn Wheeler
Dave Korn wrote: We already had this with PKI and SSL, and it basically failed. Works fine on a small scale in a tightly-disciplined organisation; fails totally to scale to Joe Internet-User. one could claim that PKI failed ... especially in its trusted 3rd party scenario ... since it was an