ietf
[Top] [All Lists]

Re: https at ietf.org

2013-11-25 17:35:09
As I'm sure you're aware, for this attack to work, not only would the US government need to compromise the root KSK HSMs and a rather Byzantine set of safeguards, they would also presumably need to do so in a way that would reduce the likelihood that the compromised elements would be noticed.

Well, sure. If I were the NSA, I would arrange for a servers that mirrored the real data except for a few bits that I wanted to spear phish. I think it's reasonable to assume that for high-value targets the NSA can bring a lot of money and skilled people to the project.

ICANN went to significant lengths to make everything done with the KSK extremely well documented and as public as humanly possible.

"Give us the signing keys."

"Sorry, we have all these complicated security procedures."

"The guy standing next to me is a US Marshal. You can give us the keys by COB today, or he can haul your asses to jail. Your choice. If there are other people whose help you need to get the keys and they're in the US, they'll have the same choice. If they're outside the US, um, depends where they are."

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for 
Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

<Prev in Thread] Current Thread [Next in Thread>