In message <a123a5d60906110800i58353c99wc6b16a50395dc5f4@xxxxxxxxxxxxxx>, Phill
ip Hallam-Baker writes:
> OK, how do you do that if the ICANN root is baked into your broadband
> router? How about a light switch?
Given that the ICANN root servers have a history of changing
address I would not expect any vendor to not provide a
mechanism for changing them. We build in the ICANN root
servers in our products but we also provide mechanisms to
change them.
% grep ROOT-SE CHANGES
2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
M.ROOT-SERVERS.NET.
2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
%
The same thing will have to be provided for and DNSKEY's
embedded in software as the expectation is that these will
change relatively often, much more often than CA certs.
> Yes in theory I can reverse engineer the code. In practice this is not
> practical. In theory the music industry could set up their own
> alternative to iTunes, in practice they have no choice but to deal
> with Apple.
Governments are not private companies. Governments often do
things no sane company would do.
> Most cell phones ship with only a small number of SSL roots and the
> end user has no ability to change them.
>
> You can change the signing key, but distributing and embedding the
> verification key is a whole different issue. The reason that VeriSign
> can charge a premium for certs is because its verification roots are
> the most widely embedded.
>
> You may disagree with my arguments here, but you do not have the
> standing to call them 'specious'.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf