Re: weiler-dnssec-dlv-02
Thierry Moreau <thierry.moreau@connotech.com> Thu, 22 March 2007 23:36 UTC
Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HUWpK-0003Kg-IS; Thu, 22 Mar 2007 19:36:14 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HUWpF-000090-U3; Thu, 22 Mar 2007 19:36:14 -0400
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HUWjN-000JIi-7A for namedroppers-data@psg.com; Thu, 22 Mar 2007 23:30:05 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=ham version=3.1.7
Received: from [68.142.225.206] (helo=smtp108.rog.mail.re2.yahoo.com) by psg.com with smtp (Exim 4.63 (FreeBSD)) (envelope-from <thierry.moreau@connotech.com>) id 1HUWjJ-000JC6-8z for namedroppers@ops.ietf.org; Thu, 22 Mar 2007 23:30:03 +0000
Received: (qmail 17719 invoked from network); 22 Mar 2007 23:29:56 -0000
Received: from unknown (HELO connotech.com) (t2i6@rogers.com@209.148.165.15 with plain) by smtp108.rog.mail.re2.yahoo.com with SMTP; 22 Mar 2007 23:29:55 -0000
X-YMail-OSG: HH3xBBAVM1kC.g3fs3SC7R6tfCFurj688JJTZgSFsDdPtx_K2SxWyVPBel8LinBbVQ--
Message-ID: <460312BF.8080002@connotech.com>
Date: Thu, 22 Mar 2007 18:35:27 -0500
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: David Conrad <david.conrad@icann.org>
CC: namedroppers@ops.ietf.org
Subject: Re: weiler-dnssec-dlv-02
References: <31513.1174480876@sandelman.ottawa.on.ca> <FC2FD963-5882-4D34-896B-8B9459386AA6@icann.org> <20070322073609.GA4489@laperouse.bortzmeyer.org> <67730.1174572329@sa.vix.com> <48CBA67D-FF7C-4930-AA53-CAA2CE1F30DA@icann.org>
In-Reply-To: <48CBA67D-FF7C-4930-AA53-CAA2CE1F30DA@icann.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
David Conrad wrote: > Hi, > > >> and strong security around the KSK, > > > Not specified in the draft, but define "strong". IANA already has some > level of security, but I suspect nothing on the order of what would be > necessary to provide a sufficient level of assurance that the KSK > wasn't compromised. Since the data we're talking about here are used > to sign information that relates to national interests, I suspect the > level of security necessary is on the order of that necessary to > protect national-level secrets. I don't plan on moving IANA to a > former ICBM silo. > > In my mind, this sort of points out a bit of a flaw in the operational > implications of DNSSEC. Forget (as we have to date since it is a hard > problem) how one might recover from a root KSK compromise. > Pragmatically speaking, the holder of the root KSK is setting itself up > to be a teensy bit of a target. Compromise of the root KSK would have > ... significant implications and likely astounding liabilities. Who > wants that? Since the implications are so great (and there is no way > to recover), you have to be _EXTREMELY_ careful with the key. This > level of care is likely to be is very, very expensive. Who is going to > pay for that? > Thanks David for re-stating the requirement for emergency KSK rollover requirement. However, the KSK security strength was not particularly stressed in the trust anchor (TA) automated rollover requirements draft that the DNSEXT produced, at least not with the above pragmatic perspective. The DNSEXT wg has moved this draft to the IESG, so it looks like a done deal for the wg. In the early days of TA rollover requirements discussions, I used to advocate for the expliciteness of emergency rollover recovery principles, with an implied "catastrophic failure mode" disclosure requirement. I.e. let's disclose the exact circumstances where "there is no way to recover", so that _EXTREME_ _CARE_ could be applied to these circumstances. But the wg paid more attention to other requirements and selection criteria. Overall, I came to the conclusion that the TA rollover issue hit a limit in what an IETF wg can realistically achieve. Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: thierry.moreau@connotech.com -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- weiler-dnssec-dlv-02 Michael Richardson
- Re: weiler-dnssec-dlv-02 Michael Richardson
- Re: weiler-dnssec-dlv-02 Paul Vixie
- Re: weiler-dnssec-dlv-02 Joao Damas
- Re: weiler-dnssec-dlv-02 Thierry Moreau
- Re: weiler-dnssec-dlv-02 bmanning
- Re: weiler-dnssec-dlv-02 Alex Bligh
- Re: weiler-dnssec-dlv-02 bmanning
- Re: weiler-dnssec-dlv-02 Joao Damas
- Re: weiler-dnssec-dlv-02 Paul Vixie
- Re: weiler-dnssec-dlv-02 Paul Vixie
- RE: weiler-dnssec-dlv-02 Hallam-Baker, Phillip
- Re: weiler-dnssec-dlv-02 David Conrad
- Re: weiler-dnssec-dlv-02 David Conrad
- Re: weiler-dnssec-dlv-02 David Conrad