On Nov 25, 2013, at 12:11 PM, David Conrad <drc(_at_)virtualized(_dot_)org>
wrote:
What does that mean? Exactly what threat are you imagining an NSL would be
used to hide?
Hi, this is the FBI, we would like a copy of the DNSSEC root private key
please, and don't tell anyone you gave it to us. The same attack would work
on .com as well, of course, without bothering with the root key.
To be clear, this is a threat that can be addressed, but we should be thinking
about it as part of the threat model when talking about replacing CA PKI with
DANE. In point of fact, I would argue that the two certificate hierarchies
have different threat models, and that we ought to keep both and use them for
cross-validation where appropriate, not just throw all our eggs in a different
basket and hope for the best.