On Tue, Oct 8, 2013 at 9:19 AM, Michael Richardson <mcr+ietf@xxxxxxxxxxxx> wrote:
--
Website: http://hallambaker.com/
k-of-n signing for the DNSSEC root was talked about by many, including Tatu
Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote:
> I think the US executive branch would be better rid of the control
> before the
> vandals work out how to use it for mischief. But better would be to
> ensure that
> no such leverage exists. There is no reason for the apex of the DNS to
> be a
> single root, it could be signed by a quorum of signers (in addition to
> the key
Ylonen back in 1996...
Most crypto hardware supports k-of-n keysplitting and most of the code out there makes use of it. And PKIX CAs use k-of-n keysplitting on a monolithic trust anchor rather than a composite trust anchor. So it is easy to see how a technical decision would go that way.
But the idea of signing the root did not become a practical possibility until much later. I certainly gave the issue no thought when looking at signing .com. I certainly did not think that it was necessary to wait for the root to be signed to sign .com.
I have an alternate proposal: every country's ccTLD should sign the root,
and/or the other TLDs. That actually hands control of the DNS root back
to the legislatures in each country. True: some countries might have
perverted notions of what belongs in the root, and we might get different
views of the Internet. But, this happens already using a variety of
wrong mechanisms that cause harm to the Internet.
I think that is a better approach actually. The CC TLDs are in effect members of a bridge CA and ICANN is merely the bridge administrator.
There would have to be adequate controls to ensure that transfer of the root was practical of course. It is probably necessary for the CC TLDs to be able to sign more than one bridge. After all, Europe has just spent many billions replicating GPS. This would cost less.
And anyone who is a relying party can choose to chain to a single trust anchor or use multiple anchors. So the quorate approach is still available for those who want it. If France, Cuba, the US and India all agree on the validity of the bridge root, then it is probably valid.
Better they do this using good crypto, than that they do this by trying to
subvert the (US-controlled) crypto.
Its not all US controlled, you can use GOST...
Website: http://hallambaker.com/