On Sun, Dec 8, 2013 at 9:22 PM, Doug Barton <dougb@xxxxxxxxxxxxx> wrote:
On 12/08/2013 10:21 AM, Phillip Hallam-Baker wrote:Um, no. What you originally asserted was that the root was vulnerable to being hijacked by an NSL. You have yet to provide any evidence of that, and when confronted by evidence to the contrary you changed the subject.
As I pointed out, what I was objecting to was yet another iteration of
someone asserting that the DNSSEC PKI is different from the CA system in
a way that it is not actually different.
So I don't have to fix DNSSEC, all I need to fix here is to have David
and others stop making claims for the protocol that are not supported by
evidence.
So leaving aside the fine points of PKI and how they do or do not relate to the root, do you have _any_ evidence to support your original assertion?
What I said was that any root management is vulnerable to government coercion. And that is still obviously true.
Having performed a root key generation in public does not guarantee that future operations will be public. If we assume that the government has the power to coerce the root key manager they can coerce the vendor of the evidence bags to provide some un-numbered ones and then number them themselves.
In fact I have some unnumbered evidence bags. Most of the vendors send them out as free samples on request.
It is not a criticism of the particular process, it is a fundamental constraint.
Publishing the legit ceremonies might provide some additional transparency but does not prevent an illegitimate ceremony being inserted.
Can't even control it using the crypto hardware since the attacker can coerce them as well. There is no ground truth you can depend on under that attack.
The only real control is that any attack leaves irrefutable evidence and only a government has the ability to mount such an attack. The idea that the NSA or FBI would take such a step in the case of the DNS is ridiculous, it would be tantamount to a treaty violation. But the idea that they would take similar action against a US based CA or browser provider is equally ridiculous.
Website: http://hallambaker.com/