Re: https at ietf.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ted Lemon <ted.lemon@xxxxxxxxxxx> wrote:
    > (1) I'm not trying to impugn the good work that was done in securing
    > the root key.  It was good work, and I think it was very cool.  I am
    > just asking if, despite that good work, an NSL could get around it.
    > It's a fair question.  The answer may be "no," or "not without it
    > becoming public," or "with great difficulty."  I doubt it's "easily."
    > But it's worth asking.  When you did the root signing, we were
    > certainly thinking about this threat model, but it was a bit more
    > academic then than it is now.  I think we still had some illusions that
    > the U.S. government at least would choose a more constrained attack
    > than taking the key to everything; we now know that the government
    > feels no such burden of restraint—they apparently feel that they can be
    > trusted with that key, and we should be willing to provide it.

Based upon my reading of:
      http://www.root-dnssec.org/tcr/selection-2010/

and my understanding from careful reading of the site that any three Crypto
Officers are enough to reconstruct the key, it seems that a US NSL would not
suffice.

There are not three US people in any category, but I did not read how the key
was split.  If two Crypto Officers and a backup crypto officer cound as
three, then I'm wrong: a US NSL takes it.

I was also assuming that CO's for east coast do not also have west coast
keys, but I may be wrong here.

I don't know if the EU has an NSL process, but it seems that the EU could
also recover the keys if it wanted to.

--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works


Attachment: pgp7xj2JamRNr.pgp
Description: PGP signature


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]