RE: DNSSEC to be strangled at birth.

2007-04-07 Thread Charlie Kaufman
nail -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald Sent: Friday, April 06, 2007 12:16 PM To: Nicolas Williams Cc: Paul Hoffman; [EMAIL PROTECTED]; cryptography@metzdowd.com Subject: Re: DNSSEC to be strangled at birth. Nicolas

RE: DNSSEC to be strangled at birth.

2007-04-07 Thread Dave Korn
On 06 April 2007 00:50, Paul Hoffman wrote: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. If the owner of any key signs below their level, it is immediately visible to anyone doing active checking. Only if they get sent that

Re: DNSSEC to be strangled at birth.

2007-04-07 Thread Anne Lynn Wheeler
Dave Korn wrote: We already had this with PKI and SSL, and it basically failed. Works fine on a small scale in a tightly-disciplined organisation; fails totally to scale to Joe Internet-User. one could claim that PKI failed ... especially in its trusted 3rd party scenario ... since it was an

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Thor Lancelot Simon
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of course, false, and presumably is _exactly_ why DHS wants the root signing key: because, with it, one can sign the

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Paul Hoffman
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of course, false, This is, of course false. In order to control

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Thor Lancelot Simon
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. If the owner of any key signs below their level, it is immediately visible to anyone doing active checking. The root signing

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Paul Hoffman
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. If the owner of any key signs below their level, it is immediately

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Thor Lancelot Simon
On Thu, Apr 05, 2007 at 05:30:53PM -0700, Paul Hoffman wrote: At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote: You're missing the point. The root just signs itself a new .net key, and then uses that to sign a new furble.net key, and so forth. No unusual key use is required. And you

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread kent
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Nicolas Williams
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Paul Hoffman
[[ Agree with Nico's MITM arguments; different point below ]] At 10:49 AM -0500 4/6/07, Nicolas Williams wrote: The DHS would get real value in terms of veto power over new TLDs, IFF it is the only one to possess the root private key. But that's not what the story said, IIRC. Whoever owns

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread James A. Donald
Nicolas Williams wrote: Which means that the MITM would need the cooperation of the client's provider in many/most cases (a political problem) in order to be able to quickly get in the middle so close to a leaf node (a technical problem). Not a very large political problem. Most ISPs not

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Jack Lloyd
On Wed, Apr 04, 2007 at 05:51:27PM +0100, Dave Korn wrote: Can anyone seriously imagine countries like Iran or China signing up to a system that places complete control, surveillance and falsification capabilities in the hands of the US' military intelligence? How is this any different from

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread John Levine
The DHS has requested the master key for the DNS root zone. Can anyone seriously imagine countries like Iran or China signing up to a system that places complete control, surveillance and falsification capabilities in the hands of the US' military intelligence? For anyone who hasn't been

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Paul Hoffman
anti-rant At 5:51 PM +0100 4/4/07, Dave Korn wrote: Can anyone seriously imagine countries like Iran or China signing up to a system that places complete control, surveillance and falsification capabilities in the hands of the US' military intelligence? No. But how does having the root

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Peter Gutmann
Dave Korn [EMAIL PROTECTED] writes: Surely if this goes ahead, it will mean that DNSSEC is doomed to widespread non-acceptance. I realise this is a bit of a cheap shot, but: How will this be any different from the current situation? Peter.

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread dan
Dave, For the purposes of discussion, (1) Why should I care whether Iran or China sign up? (2) Who should hold the keys instead of the only powerful military under democratic control? (a) The utterly porous United Nations? (b) The members of this mailing list, channeling for

RE: DNSSEC to be strangled at birth.

2007-04-05 Thread Dave Korn
On 05 April 2007 16:48, [EMAIL PROTECTED] wrote: Dave, For the purposes of discussion, (1) Why should I care whether Iran or China sign up? I think it would be consistent to either a) care that *everybody* signs up, or b) not care about DNSSEC at all, but I think that a fragmentary

RE: DNSSEC to be strangled at birth.

2007-04-05 Thread Joe St Sauver
Dave mentioned: # Can anyone seriously imagine countries like Iran or China signing up to a #system that places complete control, surveillance and falsification #capabilities in the hands of the US' military intelligence? I'm not sure having control of the keys for the root zone would

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Simon Josefsson
Paul Hoffman [EMAIL PROTECTED] writes: At 5:51 PM +0100 4/4/07, Dave Korn wrote: Can anyone seriously imagine countries like Iran or China signing up to a system that places complete control, surveillance and falsification capabilities in the hands of the US' military intelligence? No.

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Florian Weimer
* Peter Gutmann: Dave Korn [EMAIL PROTECTED] writes: Surely if this goes ahead, it will mean that DNSSEC is doomed to widespread non-acceptance. I realise this is a bit of a cheap shot, but: How will this be any different from the current situation? You can see that the keys change and

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Ben Laurie
Simon Josefsson wrote: However, in practice I don't believe many will trust the root key alone -- for example, I believe most if not all Swedish ISPs would configure in trust of the .se key as well. One can imagine a web-of-trust based key-update mechanism that avoids the need to trust a

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Florian Weimer
* Simon Josefsson: However, in practice I don't believe many will trust the root key alone -- for example, I believe most if not all Swedish ISPs would configure in trust of the .se key as well. There are some examples that such static configuration is extremely bad. Look at the problems