Re: [dnsext] historal root keys for upgrade path?

[Phillip Hallam-Baker <hallam@gmail.com>]

Both your reply and the reply from the big router vendor make it clear to me
that you do simply do not understand my proposal.

There are some cases in which it is acceptable to have anonymous
contributions like this. But in my view big router manufacturers are quite
capable of representing themselves directly in IETF and should not have need
of intermediaries.

Please tell your associate that if this is an issue, they should participate
in the group directly.


On Wed, Jan 26, 2011 at 4:41 PM, Paul Wouters <paul@xelerance.com> wrote:

> On Wed, 26 Jan 2011, Phillip Hallam-Baker wrote:
>
>  Paul, you came here with an assertion that you were interested in solving
>> a particular problem.
>> Since then you have changed the problem whenever people suggest an
>> alternative that does not match your
>> proposed solution.
>>
>
>  If I was a major router manufacturer or any other manufacturer, I would
>> make sure that there was satisfactory
>> control of the ultimate root of trust embedded in my products.
>>
>
> This particular big router vendor has stated to me that using X.509 and
> CA's can not
> be part of the solution, exactly for the reasons I have mentioned in
> previous emails.
>
> These are their words exactly:
>
>   Frankly, one of the most compelling reasons for wanting to see
>   ubiquitous DNSSEC is precisely this long, ever changing list of X.509
>   CAs, each with its own policies, procedures, personnel, and pressure
>   points, and each representing an opportunity for total failure of the
>   whole PKI. X.509 as deployed is a security disaster, and I see
>   basically no chance of it ever getting better.
>
>   Personally, and I'm hoping to convince [vendor] and everybody else of
>   this eventually, I would like to see DNSSEC *replace* X.509 as the
>   PKI for basically everything on the Internet, or at least see all
>   X.509 trust conditioned on DNSSEC trust.
>
>
> Phillip, it is not just me. Your PKI solution does not fit this
> problem. It just creates an additional problem.
>
>
>  As the Internet matures and the need to upgrade equipment for purely
>> performance issues subsides, service
>> lifetimes for network infrastructure is going to be measured in decades.
>> Which is something of a problem in
>> an industry where Internet time turned out to mean that Netscape took a
>> little over five years to go from
>> startup, to industry behemoth, to extinction rather than the 80-90 years
>> that it took General Motors to
>> achieve the same.
>>
>
> You never did give me your professional expert estimate of the amount or
> percentage of valid CA's of the latest Netscape Navigator/Communicator
> released. I would still be interested in that number to confirm or deny
> the usability of Certificate Agencies over a decade long deployment.
>
> Paul
>



-- 
Website: http://hallambaker.com/