It is now generally accepted that PEM was undeployable because the
single root model is not workable. Nobody was going to trust IANA as
the ultimate root of trust, nor were they going to trust RSA.
ICANN has accepted responsibility for the DNS infrastructure.
Unfortunately they don't seem to understand what that means for their
interactions with the IETF. At the very least, ICANN needs to be
issuing operational requirements documents that itemize the protocol
support that is required for deployment.
ICANN was well aware that the lack of opt-out would prevent deployment
of DNSSEC in .com as early as 2000. They had a responsibility to tell
the IETF that this was a non-negotiable requirement and that failure
to meet it would mean that ICANN would be unable to deploy DNSSEC.
Instead they insisted that no deviation from the IETF standard was
permissible.
Ten years later the only part of ICANN that seems to interest them is
the idea that they will have sole control of the root zone. The fact
that others are going to filibuster DNSSEC rather than to allow it to
deploy as at present does not seem to have occurred to them. It is
quite possible that what is driving the GOST issue is that the GRU
really has a thing about vanity crypto. But I think it much more
likely that they are going to use it as part of a series of
regulations that effectively require Russian ISPs chain their DNSSEC
off the GRU approved root.
Otherwise the Russian concerns make absolutely no sense. They
certainly understand PKI well enough that control of the root key is a
much bigger deal than the remote possibility that the NSA has tricked
up the made in the US crypto with some backdoor that only the NS has
noticed in the past three decades.
On Mon, Feb 15, 2010 at 7:45 PM, David Conrad <drc(_at_)virtualized(_dot_)org>
wrote:
On Feb 15, 2010, at 4:40 PM, Phillip Hallam-Baker wrote:
PEM (Five years and counting before the project faded away without a
definitive declaration of failure)
DNSEC (Ten years and counting)
So, you're blaming IANA and/or ICANN for the failure to deploy both PEM and
DNSSEC.
Seriously?
Regards,
-drc
--
--
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf