In message
<a123a5d60906110800i58353c99wc6b16a50395dc5f4(_at_)mail(_dot_)gmail(_dot_)com>,
Phill
ip Hallam-Baker writes:
OK, how do you do that if the ICANN root is baked into your broadband
router? How about a light switch?
Given that the ICANN root servers have a history of changing
address I would not expect any vendor to not provide a
mechanism for changing them. We build in the ICANN root
servers in our products but we also provide mechanisms to
change them.
% grep ROOT-SE CHANGES
2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
M.ROOT-SERVERS.NET.
2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
%
The same thing will have to be provided for and DNSKEY's
embedded in software as the expectation is that these will
change relatively often, much more often than CA certs.
Yes in theory I can reverse engineer the code. In practice this is not
practical. In theory the music industry could set up their own
alternative to iTunes, in practice they have no choice but to deal
with Apple.
Governments are not private companies. Governments often do
things no sane company would do.
Most cell phones ship with only a small number of SSL roots and the
end user has no ability to change them.
You can change the signing key, but distributing and embedding the
verification key is a whole different issue. The reason that VeriSign
can charge a premium for certs is because its verification roots are
the most widely embedded.
You may disagree with my arguments here, but you do not have the
standing to call them 'specious'.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf