Re: [dnsext] historal root keys for upgrade path?
Phillip Hallam-Baker <hallam@gmail.com> Wed, 02 February 2011 16:27 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37B3D3A6D31 for <dnsext@core3.amsl.com>; Wed, 2 Feb 2011 08:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.479
X-Spam-Level:
X-Spam-Status: No, score=-3.479 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nw+57VXxYvzq for <dnsext@core3.amsl.com>; Wed, 2 Feb 2011 08:27:21 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id CCC443A6CFB for <dnsext@ietf.org>; Wed, 2 Feb 2011 08:27:20 -0800 (PST)
Received: by yxt33 with SMTP id 33so74430yxt.31 for <dnsext@ietf.org>; Wed, 02 Feb 2011 08:30:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=28+jV74blm46sxF2IBnyO4sus+yOzr04AsJIu+eyOgQ=; b=ZSomzKUmf5uhHrQpDDxQlcwQt1cTcyt/Qh8CEc3Zt3mIYUvvgnTqJ1ykjVVOtNjGi1 aZRTW1gME9AFbPJYsLjjUrs/HqKGLgomhGRCHGAZKHegPDAM996/GMQJQEziChCzsgHe i1Hvk6PtYjKVSorqyv32uKGE+YbidpgE62esI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mzOR2Deh0zLHWXzrmAcuAUf9D9OvwneGpXx4/GFh9PtXzc5DoRPy/q3bN2BiaL0hxG n0InMn6M9umEr3V+Tcne7FN9x+CanA1/SkwxTOcqj0/3HmR7+zPtlp9QY0P1Y7tqr9x+ LaPd2i9+QlmURsp/9hjd1pSLtoTa/HapFnEpA=
MIME-Version: 1.0
Received: by 10.100.134.10 with SMTP id h10mr6054308and.86.1296664239285; Wed, 02 Feb 2011 08:30:39 -0800 (PST)
Received: by 10.100.242.14 with HTTP; Wed, 2 Feb 2011 08:30:38 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1102021436480.5244@hermes-1.csi.cam.ac.uk>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at> <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca> <4D45DE93.9090508@vpnc.org> <AANLkTinbjRebooyqWMpZ2oTudruoDSGqgaXXr35WPYVH@mail.gmail.com> <AANLkTikiqe2K4S-dNsyQZ-xp71J4bM11SsahwpxfDKCX@mail.gmail.com> <4C747F08-A9E8-46E6-AE76-0A999A16D276@hopcount.ca> <AANLkTinOtx88vK3mz-w=uw1CnsKwm=c-nTDOsj=5JAPY@mail.gmail.com> <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca> <AANLkTi=BtqV3XF-yXhDBNd7hPCbJCWKuS-WsO=_nf6g3@mail.gmail.com> <EC6DC378-D10D-45FC-B9FB-8D43A780A9EC@kirei.se> <alpine.LSU.2.00.1102021405380.5244@hermes-1.csi.cam.ac.uk> <55D1BB6F-44E9-4D12-93F3-DD5AD219D429@kirei.se> <alpine.LSU.2.00.1102021436480.5244@hermes-1.csi.cam.ac.uk>
Date: Wed, 02 Feb 2011 11:30:38 -0500
Message-ID: <AANLkTinOMEYJNsixJtrruy-afMzKYr4bnbkG3CjE6M+5@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="0016e644c708602859049b4f2b9d"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2011 16:27:22 -0000
We have about a quarter billion names and in excess of four billion devices. By the time we get to the second roll in the 2020 time frame I would expect us to be considering about ten billion devices, most of which we would hope to have DNSSEC capability. If the cost of this firedrill is $0.10 cents per device we are talking about a billion dollar fire drill. If the cost is $10 per device we have spent $100 billion. The reason that costs accumulate in the federal government PKI is that (1) they hire contractors looking to inflate costs and (2) they have a heck of a lot of devices and small administrative cost escalates quickly. Loading up unnecessary requirements like vanity root rolls is the reason some people's X.509 PKIs became overly complex and difficult to manage. That is why we settled on using long term embedded roots in the SSL PKI. It is not an ideal situation from the crypto-perfectionist point of view, but that is not the only consideration. On Wed, Feb 2, 2011 at 9:39 AM, Tony Finch <dot@dotat.at> wrote: > On Wed, 2 Feb 2011, Jakob Schlyter wrote: > > > > I'm not saying we should not test key rollovers, but testing in public > > on the live Internet would, IMHO, be irresponsible. Testing should be > > exercised in a closed environment, together with vendors. > > I was not thinking of bench testing, I was thinking of maintaining > the operational readiness of all the installations out there. > > > We don't set real buildings on fire just to make sure that the fire > > brigade still operates as expected - we test and exercise them under > > much better control. > > We do drill non-emergency evacuations and deliberately sound operational > fire alarm systems. > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO > 7, > DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR > ROUGH. RAIN THEN FAIR. GOOD. > -- Website: http://hallambaker.com/
- [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Alex Nicoll
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Matthew Dempsky
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? David Conrad
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? W.C.A. Wijngaards
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Ted Lemon
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer