On Tue, Oct 8, 2013 at 9:19 AM, Michael Richardson
<mcr+ietf(_at_)sandelman(_dot_)ca>wrote:
Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com> wrote:
> I think the US executive branch would be better rid of the control
> before the
> vandals work out how to use it for mischief. But better would be to
> ensure that
> no such leverage exists. There is no reason for the apex of the DNS
to
> be a
> single root, it could be signed by a quorum of signers (in addition
to
> the key
k-of-n signing for the DNSSEC root was talked about by many, including Tatu
Ylonen back in 1996...
Most crypto hardware supports k-of-n keysplitting and most of the code out
there makes use of it. And PKIX CAs use k-of-n keysplitting on a monolithic
trust anchor rather than a composite trust anchor. So it is easy to see how
a technical decision would go that way.
But the idea of signing the root did not become a practical possibility
until much later. I certainly gave the issue no thought when looking at
signing .com. I certainly did not think that it was necessary to wait for
the root to be signed to sign .com.
I have an alternate proposal: every country's ccTLD should sign the root,
and/or the other TLDs. That actually hands control of the DNS root back
to the legislatures in each country. True: some countries might have
perverted notions of what belongs in the root, and we might get different
views of the Internet. But, this happens already using a variety of
wrong mechanisms that cause harm to the Internet.
I think that is a better approach actually. The CC TLDs are in effect
members of a bridge CA and ICANN is merely the bridge administrator.
There would have to be adequate controls to ensure that transfer of the
root was practical of course. It is probably necessary for the CC TLDs to
be able to sign more than one bridge. After all, Europe has just spent many
billions replicating GPS. This would cost less.
And anyone who is a relying party can choose to chain to a single trust
anchor or use multiple anchors. So the quorate approach is still available
for those who want it. If France, Cuba, the US and India all agree on the
validity of the bridge root, then it is probably valid.
Better they do this using good crypto, than that they do this by trying to
subvert the (US-controlled) crypto.
Its not all US controlled, you can use GOST...
--
Website: http://hallambaker.com/