IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Phillip Hallam-Baker <hallam@gmail.com> Wed, 02 February 2011 16:27 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37B3D3A6D31 for <dnsext@core3.amsl.com>; Wed, 2 Feb 2011 08:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.479
X-Spam-Level:
X-Spam-Status: No, score=-3.479 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nw+57VXxYvzq for <dnsext@core3.amsl.com>; Wed, 2 Feb 2011 08:27:21 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id CCC443A6CFB for <dnsext@ietf.org>; Wed, 2 Feb 2011 08:27:20 -0800 (PST)
Received: by yxt33 with SMTP id 33so74430yxt.31 for <dnsext@ietf.org>; Wed, 02 Feb 2011 08:30:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=28+jV74blm46sxF2IBnyO4sus+yOzr04AsJIu+eyOgQ=; b=ZSomzKUmf5uhHrQpDDxQlcwQt1cTcyt/Qh8CEc3Zt3mIYUvvgnTqJ1ykjVVOtNjGi1 aZRTW1gME9AFbPJYsLjjUrs/HqKGLgomhGRCHGAZKHegPDAM996/GMQJQEziChCzsgHe i1Hvk6PtYjKVSorqyv32uKGE+YbidpgE62esI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mzOR2Deh0zLHWXzrmAcuAUf9D9OvwneGpXx4/GFh9PtXzc5DoRPy/q3bN2BiaL0hxG n0InMn6M9umEr3V+Tcne7FN9x+CanA1/SkwxTOcqj0/3HmR7+zPtlp9QY0P1Y7tqr9x+ LaPd2i9+QlmURsp/9hjd1pSLtoTa/HapFnEpA=
MIME-Version: 1.0
Received: by 10.100.134.10 with SMTP id h10mr6054308and.86.1296664239285; Wed, 02 Feb 2011 08:30:39 -0800 (PST)
Received: by 10.100.242.14 with HTTP; Wed, 2 Feb 2011 08:30:38 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1102021436480.5244@hermes-1.csi.cam.ac.uk>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at> <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca> <4D45DE93.9090508@vpnc.org> <AANLkTinbjRebooyqWMpZ2oTudruoDSGqgaXXr35WPYVH@mail.gmail.com> <AANLkTikiqe2K4S-dNsyQZ-xp71J4bM11SsahwpxfDKCX@mail.gmail.com> <4C747F08-A9E8-46E6-AE76-0A999A16D276@hopcount.ca> <AANLkTinOtx88vK3mz-w=uw1CnsKwm=c-nTDOsj=5JAPY@mail.gmail.com> <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca> <AANLkTi=BtqV3XF-yXhDBNd7hPCbJCWKuS-WsO=_nf6g3@mail.gmail.com> <EC6DC378-D10D-45FC-B9FB-8D43A780A9EC@kirei.se> <alpine.LSU.2.00.1102021405380.5244@hermes-1.csi.cam.ac.uk> <55D1BB6F-44E9-4D12-93F3-DD5AD219D429@kirei.se> <alpine.LSU.2.00.1102021436480.5244@hermes-1.csi.cam.ac.uk>
Date: Wed, 02 Feb 2011 11:30:38 -0500
Message-ID: <AANLkTinOMEYJNsixJtrruy-afMzKYr4bnbkG3CjE6M+5@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="0016e644c708602859049b4f2b9d"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2011 16:27:22 -0000

We have about a quarter billion names and in excess of four billion devices.

By the time we get to the second roll in the 2020 time frame I would expect
us to be considering about ten billion devices, most of which we would hope
to have DNSSEC capability.


If the cost of this firedrill is $0.10 cents per device we are talking about
a billion dollar fire drill. If the cost is $10 per device we have spent
$100 billion.

The reason that costs accumulate in the federal government PKI is that (1)
they hire contractors looking to inflate costs and (2) they have a heck of a
lot of devices and small administrative cost escalates quickly.

Loading up unnecessary requirements like vanity root rolls is the reason
some people's X.509 PKIs became overly complex and difficult to manage.


That is why we settled on using long term embedded roots in the SSL PKI. It
is not an ideal situation from the crypto-perfectionist point of view, but
that is not the only consideration.


On Wed, Feb 2, 2011 at 9:39 AM, Tony Finch <dot@dotat.at> wrote:

> On Wed, 2 Feb 2011, Jakob Schlyter wrote:
> >
> > I'm not saying we should not test key rollovers, but testing in public
> > on the live Internet would, IMHO, be irresponsible. Testing should be
> > exercised in a closed environment, together with vendors.
>
> I was not thinking of bench testing, I was thinking of maintaining
> the operational readiness of all the installations out there.
>
> > We don't set real buildings on fire just to make sure that the fire
> > brigade still operates as expected - we test and exercise them under
> > much better control.
>
> We do drill non-emergency evacuations and deliberately sound operational
> fire alarm systems.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO
> 7,
> DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
> ROUGH. RAIN THEN FAIR. GOOD.
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email