On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote:
* Allowing deployment of DNSSEC to be blocked in 2002(sic) by
blocking a technical change that made it possible to deploy in
As an opponent of DNSSEC opt-in back in the day, I think this is a
poor example of NSA influence in the standards process.
I do not challenge PHB's theory that the NSA has plants in the
IETF to discourage moves to strong crypto, particularly given John
Gilmore's recent message on IPSEC, but I doubt that the NSA had any
real influence on the DNSSEC opt-in debacle of 2003.
First, DNSSEC does not provide confidentiality. Given that, it's not
clear to me why the NSA would try to stop or slow its deployment.
Second, as I look at the people who opposed opt-in and the IETF
working group chairs who made the decision to kill it, I don't see
likely NSA stooges. The list of opponents during working group last
call was so short  (as compiled by PHB, back in the day) that I
thought the working group chairs got the consensus call wrong. The
DNSEXT chairs were Randy Bush and Olafur Gudmundsson. In previous
years, Olafur had worked for TIS Labs, which had taken plenty of DoD
money over the years. Even so, I do not suspect he was influenced by
the NSA. Randy has taken money from DHS in more recent years, but I'm
even more convinced he was not an NSA stooge. (Randy was the chair
issuing the opt-in last call and writing the summary.)
Third, many of the opt-in opponents in 2003 seemed to be pretty
convinced that the lowered security guarantees and extra complexity of
opt-in were nothing more than a subsidy for Verisign, which could just
as well throw more money at the problem of signing its large zones.
One might plausibly argue that Verisign's push for opt-in (and its
later push for NSEC3) was itself a stalling tactic. One might even go
further and say that Verisign initiated such stalling at the behest of
the NSA. I would not make that argument, but it is at least as
plausible as an argument that the opt-in opponents or WG chairs were
Lastly, the US DoD was funding some amount of work on DNSSEC at the
time (i.e., my own participation). During that timeframe, significant
progress was being made on the deployability of DNSSEC, and I think
the DoD funding helped. Depending on your whims, you could either
credit DoD for helping or blame them for not providing even more
funding, which might have made for faster progress.
So, again, while PHB's general theory might have merit, I think the
DNSSEC opt-in example is not on point.
Disclosures: I was deeply involved in the IETF's DNSEXT working group
during this time, and my funding came from non-NSA bits of DoD. I am
not aware of any NSA influence in my funding, and I felt no NSA
pressure in the work I was doing. I was a vocal opponent of opt-in,
but in the end I chose to step aside and let it advance.
-- Samuel Weiler
The cryptography mailing list