On 07/10/13 12:35, Tobias Oberstein wrote:
DNSSEC seems to follow a centralized/hierachical trust model. Won't help. The NSA will (does?) own those.
The default trust model is to have parent sign the child. Other models are not only possible, they're deployed. Google "DLV" and "trust anchor".
As to whether "the NSA" has the root keys; given recent revelations I rule nothing out. But if this is a concern, I would urge you to investigate and get involved in the root key generation and rollover procedures - there is a rollover coming soon, and more eyes make subversion less likely.
That could be a good start: it would take a community effort to scrutinize, security review and robustify for production. The monoculture of OpenSSL is no good IMHO.
I agree, but there are other options - gnutls, NSS - which have received this scrutiny, if you want to move away from OpenSSL.
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
