On Tue, Aug 23, 2022 at 5:06 PM Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote: > > On Tue, Aug 23, 2022 at 08:48:48PM +0000, Warren Kumari wrote: > > > It still feels like there is a tiny tweak that can be made that somehow > > magically solves this without having to rerun the algorithm (minus the > > selected people), but everything I think of is either wildly baroque, or > > relies on secrecy, or similar… I have a horrible feeling I'm going to wake > > up at 3AM with the perfect solution, just to realize once I'm fully awake > > that it is completely, obviously and hilariously wrong. > > Secrecy can be achieved by appointing a set of parties who will release > pre-committed (SHA2-256 published in advance) secret values at a > suitable future time, and their values will be hashed together to arrive > at the "secret" additional seed. At least a majority of the parties in > question have to be trusted to not collude. Whether such complex If each secret value has enough entropy, you only need one who does not collude. > ceremony is viable or justified is not clear... Coming up with randomness good enough for this process is an already solved problem. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@xxxxxxxxx > -- > Viktor.
