Re: [dnsext] draft-jabley-dnsop-validator-bootstrap-00
Phillip Hallam-Baker <hallam@gmail.com> Tue, 01 February 2011 00:37 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 516133A6CA0; Mon, 31 Jan 2011 16:37:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.859
X-Spam-Level:
X-Spam-Status: No, score=-2.859 tagged_above=-999 required=5 tests=[AWL=-0.501,
BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4YBdIWvMSYj6;
Mon, 31 Jan 2011 16:37:21 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com
[209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 046D93A6C97;
Mon, 31 Jan 2011 16:37:20 -0800 (PST)
Received: by yxt33 with SMTP id 33so2574172yxt.31 for <multiple recipients>;
Mon, 31 Jan 2011 16:40:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:in-reply-to:references:date
:message-id:subject:from:to:cc:content-type;
bh=A5kVdQ+FkrqJPw6YPmcJr6TRCBPBn32ZtVwMCxs9VVA=;
b=eG2Os0Rj7RTkU8Q3TA1lOc6+ix1VeLRJwqgRnAQm/GAiAY0lcbJRBBoEeC4r62RnoE
MCdr4U9kr9jPxA68HEnXpNqBBCoFFRG5x4gzJZeY0rN4gHszhIn4JS2Ai4tNWoYoN+CS
elqywC3T8b0HVudTXoxvA3o+WD+29ZIpYVcAw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type;
b=bbkRGOyquEq2ckHyJnjvvKkgH1cT/ztITRYR0t2pfPNWcyQJ5U0Ck7g+Ux5ICbffWw
wU7D86HYewgMtvuldysi/0OA/Zsthsxex8M5hZOFQGCjNgrN2Kb7lHWP+VHMmQgLICB7
yZhWfJ78JuLQ1ZdjTX2GBtq1qce1RGOrEyf1s=
MIME-Version: 1.0
Received: by 10.100.6.7 with SMTP id 7mr4332571anf.256.1296520835864;
Mon, 31 Jan 2011 16:40:35 -0800 (PST)
Received: by 10.100.109.16 with HTTP; Mon, 31 Jan 2011 16:40:35 -0800 (PST)
In-Reply-To: <6819D144-A148-41AB-BF38-A888E0950D7E@hopcount.ca>
References: <3E0BC533-AFF7-4E5E-A52E-BD7814FC4060@hopcount.ca>
<4D472D2C.9090108@cisco.com>
<6819D144-A148-41AB-BF38-A888E0950D7E@hopcount.ca>
Date: Mon, 31 Jan 2011 19:40:35 -0500
Message-ID: <AANLkTikx-cc47UFjK6=DxwxJVraMv89L-ebBmhHPn7ZE@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/alternative; boundary=0016e642d3badd99a6049b2dc72a
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Knight Dave <dave.knight@icann.org>,
dnsext List <dnsext@ietf.org>
Subject: Re: [dnsext] draft-jabley-dnsop-validator-bootstrap-00
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>,
<mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>,
<mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 00:37:22 -0000
On Mon, Jan 31, 2011 at 5:14 PM, Joe Abley <jabley@hopcount.ca> wrote: > > > Either way, it's a local trust anchor... and I don't see why X.509 > > keys are any less compromisable than DNS keys... > > The difference is that X.509 keys, as deployed by CAs, have expected > lifetimes measured in decades. Right now we don't know what the expected > lifetime of the root zone KSK is. > To be precise here, there is no difference in the likelihood that the keys will be compromised. The difference is that the X.509 protocol is designed to support keys that are persistent over long periods (decades) and DNSSEC is not. In particular an X.509 self-signed certificate is an assertion that the key holder will maintain and use the associated private key in accordance with the specified practices for the specified length of time. You can easily find out how long Comodo or Symantec or whoever is going to maintain their SSL CA roots, the information is right there in the cert store and is irrevocable in that the CA can extend the time period (through recertification) but cannot reduce it. My advice to Cisco would be to use their existing root to sign the published CSR for the DNS root KSK in the short term at least. In the longer term we are going to have to have a look at the problem at a higher level and work out how we are going to solve it in a scalable way across all the platforms that involve a root key. We are starting to make quite a little collection of industry forums that are doing this root key management as a sideline. -- Website: http://hallambaker.com/
- [dnsext] draft-jabley-dnsop-validator-bootstrap-00 Joe Abley
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… John Bashinski
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Joe Abley
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Phillip Hallam-Baker
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Paul Hoffman
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Phillip Hallam-Baker
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Ted Lemon
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Phillip Hallam-Baker
- [dnsext] Moderate one's tone, please. (was: draft… Andrew Sullivan
- Re: [dnsext] Moderate one's tone, please. Paul Hoffman
- Re: [dnsext] Moderate one's tone, please. Andrew Sullivan
- Re: [dnsext] Moderate one's tone, please. Phillip Hallam-Baker
- Re: [dnsext] Moderate one's tone, please. Paul Wouters
- Re: [dnsext] Moderate one's tone, please. Paul Wouters
- Re: [dnsext] Moderate one's tone, please. Paul Hoffman
- Re: [dnsext] Moderate one's tone, please. Phillip Hallam-Baker
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Tony Finch
- Re: [dnsext] Moderate one's tone, please. Masataka Ohta
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Jakob Schlyter
- Re: [dnsext] Moderate one's tone, please. Derek Atkins
- Re: [dnsext] draft-jabley-dnsop-validator-bootstr… Danny Mayer