So we have totally abandoned the idea of doing DNSSEC in the end point client? Trust roots have to be valid for at least a decade to be acceptable to the application vendor community. And even though the current model of network administration is to constantly fiddle with everything, I think that is going to have to stop. On Thu, Jun 11, 2009 at 8:48 PM, Mark Andrews<marka@xxxxxxx> wrote: > > In message <a123a5d60906110800i58353c99wc6b16a50395dc5f4@xxxxxxxxxxxxxx>, Phill > ip Hallam-Baker writes: >> OK, how do you do that if the ICANN root is baked into your broadband >> router? How about a light switch? > > Given that the ICANN root servers have a history of changing > address I would not expect any vendor to not provide a > mechanism for changing them. We build in the ICANN root > servers in our products but we also provide mechanisms to > change them. > > % grep ROOT-SE CHANGES > 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, > F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, > J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and > M.ROOT-SERVERS.NET. > 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. > 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. > 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. > % > > The same thing will have to be provided for and DNSKEY's > embedded in software as the expectation is that these will > change relatively often, much more often than CA certs. > >> Yes in theory I can reverse engineer the code. In practice this is not >> practical. In theory the music industry could set up their own >> alternative to iTunes, in practice they have no choice but to deal >> with Apple. > > Governments are not private companies. Governments often do > things no sane company would do. > >> Most cell phones ship with only a small number of SSL roots and the >> end user has no ability to change them. >> >> You can change the signing key, but distributing and embedding the >> verification key is a whole different issue. The reason that VeriSign >> can charge a premium for certs is because its verification roots are >> the most widely embedded. >> >> You may disagree with my arguments here, but you do not have the >> standing to call them 'specious'. > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf