On 12/02/2013 01:02 PM, Phillip Hallam-Baker wrote:
These processes were in use in commercial PKI before the first DNSSEC draft was written over twenty years ago.
Yes, ICANN took advantage of a large existing knowledge base to create a method of securing the root KSK. It would have been foolish to do otherwise.
What you do not appear to grasp is that the processes for online roots are necessarily different as these have to be used at regular intervals.
David is far too polite a person to say so, but frankly I find your condescension offensive. To the extent that you have useful things to contribute to the discussion it would be great if you could do so without being rude. If for no other reason than the gratuitous rudeness obstructs whatever valid points you may have.
While it might be practical to sign the DNS root zone offline, it certainly is not practical to sign .com or any other TLD of consequence offline (except possibly .gov).
Rather than continuing to discuss theory, what would be useful at this point would be for you to do what has been asked several times now. Describe, in detail, what your threat vector is. Include in your description the method by which the root, or any other trust anchor would be compromised, and how that compromise would affect end users _given how DNSSEC works today_. Otherwise, please stop shouting "the sky is falling."
Doug