On Sun, Dec 8, 2013 at 9:22 PM, Doug Barton <dougb(_at_)dougbarton(_dot_)us>
wrote:
On 12/08/2013 10:21 AM, Phillip Hallam-Baker wrote:
As I pointed out, what I was objecting to was yet another iteration of
someone asserting that the DNSSEC PKI is different from the CA system in
a way that it is not actually different.
So I don't have to fix DNSSEC, all I need to fix here is to have David
and others stop making claims for the protocol that are not supported by
evidence.
Um, no. What you originally asserted was that the root was vulnerable to
being hijacked by an NSL. You have yet to provide any evidence of that, and
when confronted by evidence to the contrary you changed the subject.
So leaving aside the fine points of PKI and how they do or do not relate
to the root, do you have _any_ evidence to support your original assertion?
What I said was that any root management is vulnerable to government
coercion. And that is still obviously true.
Having performed a root key generation in public does not guarantee that
future operations will be public. If we assume that the government has the
power to coerce the root key manager they can coerce the vendor of the
evidence bags to provide some un-numbered ones and then number them
themselves.
In fact I have some unnumbered evidence bags. Most of the vendors send them
out as free samples on request.
It is not a criticism of the particular process, it is a fundamental
constraint.
Publishing the legit ceremonies might provide some additional transparency
but does not prevent an illegitimate ceremony being inserted.
Can't even control it using the crypto hardware since the attacker can
coerce them as well. There is no ground truth you can depend on under that
attack.
The only real control is that any attack leaves irrefutable evidence and
only a government has the ability to mount such an attack. The idea that
the NSA or FBI would take such a step in the case of the DNS is ridiculous,
it would be tantamount to a treaty violation. But the idea that they would
take similar action against a US based CA or browser provider is equally
ridiculous.
--
Website: http://hallambaker.com/