Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

[Thierry Moreau <thierry.moreau@connotech.com>]

John Bashinski wrote:
> 
> It's not even part of the process if you maintain
> your anchors manually (as everybody does now). And it doesn't become any
> more central when anything goes wrong. It doesn't make any change
> in, say, how the system responds to key compromise, nor have I asked
> for any change in the key rollover schedule. All I've asked for is
> a history of rollovers, or something equivalent.
> 

But once IANA (or whichever organization makes it "public") commits to 
"it" on a long term it becomes by definition more trustworthy than the 
root KSK. Then suddenly the trust foundation shifts from the root KSK to 
"it" and soon it becomes best practice to use it as the normal way to 
bootstrap DNSSEC resolution.

At one point you reach the end of the world (the Earth is flat with 
respect to system-wide crypto key management).

> If you want to have more assurance in your trust anchors, you can ALWAYS
> install them manually, or check their fingerprints manually, exactly as
> you would today. You can use whatever out of band methods you
> want. Nobody's suggested taking that away. In fact, I'm expecting to
> take heat for requiring some quite sophisticated trust anchor managment
> to be available in products where it'll almost never get used. The
> present draft requires:
> 
> 1. User able to choose root keys (defaulting to whatever's learned
>    from the system we're talking about now).
> 

Ah ah! Now "it" becomes the (default) new trust foundation. I knew it 
would come sooner than later.

Have a good week-end and best regards,

-- 
- Thierry Moreau