Re: https at ietf.org

On Nov 25, 2013, at 12:11 PM, David Conrad <drc(_at_)virtualized(_dot_)org> 
wrote:

What does that mean?  Exactly what threat are you imagining an NSL would be 
used to hide?


Hi, this is the FBI, we would like a copy of the DNSSEC root private key 
please, and don't tell anyone you gave it to us.   The same attack would work 
on .com as well, of course, without bothering with the root key.

To be clear, this is a threat that can be addressed, but we should be thinking 
about it as part of the threat model when talking about replacing CA PKI with 
DANE.   In point of fact, I would argue that the two certificate hierarchies 
have different threat models, and that we ought to keep both and use them for 
cross-validation where appropriate, not just throw all our eggs in a different 
basket and hope for the best.

<Prev in Thread]	Current Thread	[Next in Thread>
Re: https at ietf.org, (continued) Re: https at ietf.org, Dave Cridland Re: https at ietf.org, ned+ietf Re: https at ietf.org, Pranesh Prakash Re: https at ietf.org, Martin Rex Re: https at ietf.org, Dave Cridland Re: https at ietf.org, Eric Burger Re: https at ietf.org, Joe Abley Re: https at ietf.org, Ted Lemon Re: https at ietf.org, Joe Abley Re: https at ietf.org, David Conrad Re: https at ietf.org, Ted Lemon <= Re: https at ietf.org, David Conrad Re: https at ietf.org, Ted Lemon Re: https at ietf.org, John Levine Re: https at ietf.org, David Conrad Re: https at ietf.org, John R Levine Re: https at ietf.org, Ted Lemon Coercion, S Moonesamy Re: https at ietf.org, Michael Richardson Reconstruct the key, S Moonesamy Re: https at ietf.org, Randy Bush

Previous by Date:	Re: https at ietf.org, David Conrad
Next by Date:	Re: https at ietf.org, David Conrad
Previous by Thread:	Re: https at ietf.org, David Conrad
Next by Thread:	Re: https at ietf.org, David Conrad
Indexes:	[Date] [Thread] [Top] [All Lists]