On Fri, Dec 6, 2013 at 2:04 AM, Doug Barton <dougb@xxxxxxxxxxxxx> wrote:
On 12/02/2013 01:02 PM, Phillip Hallam-Baker wrote:Yes, ICANN took advantage of a large existing knowledge base to create a method of securing the root KSK. It would have been foolish to do otherwise.
These processes were in use in commercial PKI before the first DNSSEC
draft was written over twenty years ago.
David asserted that the processes used by ICANN provided greater security than those for PKIX PKI, I was pointing out that the claim made is false.
David is far too polite a person to say so, but frankly I find your condescension offensive. To the extent that you have useful things to contribute to the discussion it would be great if you could do so without being rude. If for no other reason than the gratuitous rudeness obstructs whatever valid points you may have.What you do not appear to grasp is that the processes for online roots
are necessarily different as these have to be used at regular intervals.
When someone repeats FUD after having the issue explained to them repeatedly I tend to start speaking plainly.
And I am far too polite to point out that the manner of your response is hypocritical.
Rather than continuing to discuss theory, what would be useful at this point would be for you to do what has been asked several times now.
While it might be practical to sign the DNS root zone offline, it
certainly is not practical to sign .com or any other TLD of consequence
offline (except possibly .gov).
As I pointed out, what I was objecting to was yet another iteration of someone asserting that the DNSSEC PKI is different from the CA system in a way that it is not actually different.
So I don't have to fix DNSSEC, all I need to fix here is to have David and others stop making claims for the protocol that are not supported by evidence.
The problem of securing an online system is intrinsic to the problem of running PKI at scale.
Describe, in detail, what your threat vector is. Include in your description the method by which the root, or any other trust anchor would be compromised, and how that compromise would affect end users _given how DNSSEC works today_. Otherwise, please stop shouting "the sky is falling."
Please stop making unfair comparisons. Comparing the offline security management of DNSSEC to the performance of the online CA system is not a fair comparison. The offline components of the two systems are essentially identical.
Website: http://hallambaker.com/