On Fri, Dec 6, 2013 at 2:04 AM, Doug Barton <dougb(_at_)dougbarton(_dot_)us>
wrote:
On 12/02/2013 01:02 PM, Phillip Hallam-Baker wrote:
These processes were in use in commercial PKI before the first DNSSEC
draft was written over twenty years ago.
Yes, ICANN took advantage of a large existing knowledge base to create a
method of securing the root KSK. It would have been foolish to do otherwise.
David asserted that the processes used by ICANN provided greater security
than those for PKIX PKI, I was pointing out that the claim made is false.
What you do not appear to grasp is that the processes for online roots
are necessarily different as these have to be used at regular intervals.
David is far too polite a person to say so, but frankly I find your
condescension offensive. To the extent that you have useful things to
contribute to the discussion it would be great if you could do so without
being rude. If for no other reason than the gratuitous rudeness obstructs
whatever valid points you may have.
When someone repeats FUD after having the issue explained to them
repeatedly I tend to start speaking plainly.
And I am far too polite to point out that the manner of your response is
hypocritical.
While it might be practical to sign the DNS root zone offline, it
certainly is not practical to sign .com or any other TLD of consequence
offline (except possibly .gov).
Rather than continuing to discuss theory, what would be useful at this
point would be for you to do what has been asked several times now.
As I pointed out, what I was objecting to was yet another iteration of
someone asserting that the DNSSEC PKI is different from the CA system in a
way that it is not actually different.
So I don't have to fix DNSSEC, all I need to fix here is to have David and
others stop making claims for the protocol that are not supported by
evidence.
The problem of securing an online system is intrinsic to the problem of
running PKI at scale.
Describe, in detail, what your threat vector is. Include in your
description the method by which the root, or any other trust anchor would
be compromised, and how that compromise would affect end users _given how
DNSSEC works today_. Otherwise, please stop shouting "the sky is falling."
Please stop making unfair comparisons. Comparing the offline security
management of DNSSEC to the performance of the online CA system is not a
fair comparison. The offline components of the two systems are essentially
identical.
--
Website: http://hallambaker.com/