On 12/08/2013 09:41 PM, Phillip Hallam-Baker wrote:
On Sun, Dec 8, 2013 at 9:22 PM, Doug Barton <dougb@xxxxxxxxxxxxx <mailto:dougb@xxxxxxxxxxxxx>> wrote: On 12/08/2013 10:21 AM, Phillip Hallam-Baker wrote: As I pointed out, what I was objecting to was yet another iteration of someone asserting that the DNSSEC PKI is different from the CA system in a way that it is not actually different. So I don't have to fix DNSSEC, all I need to fix here is to have David and others stop making claims for the protocol that are not supported by evidence. Um, no. What you originally asserted was that the root was vulnerable to being hijacked by an NSL. You have yet to provide any evidence of that, and when confronted by evidence to the contrary you changed the subject. So leaving aside the fine points of PKI and how they do or do not relate to the root, do you have _any_ evidence to support your original assertion? What I said was that any root management is vulnerable to government coercion. And that is still obviously true.
So your proof consists of, "Of course I'm right?"
Having performed a root key generation in public does not guarantee that future operations will be public.
Let's take as a truism that we cannot guarantee that future events will be public, sure. However the question remains, how does any government influence the situation to their benefit without the public knowing? After all, the whole point of this exercise is for them to be be able to "slip something in" undetected, right?
Given that the ZSK rolls happen on a predefined schedule, and have always been public, and all of the relevant ZSKs are visible in the zone file; wouldn't changing either of the first 2 parameters raise many, many alarm bells? And if the new ZSK that showed up on schedule was different than the pre-announced one, wouldn't that raise just as many bells?
Publishing the legit ceremonies might provide some additional transparency but does not prevent an illegitimate ceremony being inserted.
Theoretically that's true, sure. But the real question is what practical benefit would it have for the coercer? Again I'm asking for you to outline the attack you have in mind in detail.
The only real control is that any attack leaves irrefutable evidence and only a government has the ability to mount such an attack. The idea that the NSA or FBI would take such a step in the case of the DNS is ridiculous, it would be tantamount to a treaty violation. But the idea that they would take similar action against a US based CA or browser provider is equally ridiculous.
Sorry, I don't understand most of what you wrote in the paragraph above. It sounds interesting though. :)
Doug