On Tue, 23 Oct 2012, Daniel Kahn Gillmor wrote:
I'm not saying DANE is a perfect solution (i particularly don't like the concentration of hierarchical power represented by the DNS)
The hierarchical problem is pretty much an enigma case. If the root key or the com key ever gets abused, for instance by providing custom records with signatures to target someone specifically, and such a record ever leaks out for us to verify, they will lose that trust forever, and the UN or some other body will step in with a new method and trust model. If these keys get "stolen", I think everyone will probably assume what really happened is the above paragraph. That's why I trust the root key and Verisgn to do a good job. This is the same principle where Queen Beatrix of The Netherlands in theory can fire the government, while in practise it would be her last time she could. (unlike Harper in Canada, but I digress) What we will see in practise, is Registrar and Registry compromises, where people simple add or replace DS records. I expect any fortune500 company to monitor their DNS for such abuse. Paul _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
