Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Nicholas Weaver <nweaver@icsi.berkeley.edu> Thu, 27 March 2014 18:39 UTC

Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DFB21A02AE for <dnsop@ietfa.amsl.com>; Thu, 27 Mar 2014 11:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQhy0yiSKK5w for <dnsop@ietfa.amsl.com>; Thu, 27 Mar 2014 11:39:37 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB001A0182 for <dnsop@ietf.org>; Thu, 27 Mar 2014 11:39:37 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id C17282C402C; Thu, 27 Mar 2014 11:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Fe5vpkbN25SX; Thu, 27 Mar 2014 11:39:35 -0700 (PDT)
Received: from [10.0.1.22] (c-76-103-162-14.hsd1.ca.comcast.net [76.103.162.14]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0C2F72C4006; Thu, 27 Mar 2014 11:39:34 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_0F309FC3-7A56-490B-80B0-1DF1962DD7D5"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <CAL9jLaaAYPfRNSmoO=G+q2JA4a2RVsV-z-0o3RFY7r+dQN-a_w@mail.gmail.com>
Date: Thu, 27 Mar 2014 11:39:33 -0700
Message-Id: <734640E6-6393-4EBF-BE36-5C05026027E5@icsi.berkeley.edu>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <4B70E4D6-6750-4E5A-9058-7F94588DEF4C@vpnc.org> <CAL9jLaaAYPfRNSmoO=G+q2JA4a2RVsV-z-0o3RFY7r+dQN-a_w@mail.gmail.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/eblmErmCcS2FO_VtlxMqw6Hw_Fs
Cc: dnsop WG <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 18:39:39 -0000

On Mar 27, 2014, at 11:18 AM, Christopher Morrow <christopher.morrow@gmail.com> wrote:

> On Thu, Mar 27, 2014 at 10:52 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>> Yes. If doing it for the DNS root key is too politically challenging, maybe do it for one of the 1024-bit trust anchors in the browser root pile.
> 
> why would this be politically sensitive?

Because the browsers have already decided killing of 1024b CAs is a good idea, and they could revoke just those CAs once someone breaks a 1024b example, since the browser vendors have good experience in revoking bad CAs already (queue DigiNotar...)


In contrast, DNSSEC seems mired in a 1024b swamp at the root, and when you can use an old key (which you can for the root, since you can fake everything up below that dynamically and fake NTP so that your bad key is still kosher), breaking a root key really would be breaking DNSSEC.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver@icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc