At 13:50 -0400 4/21/09, Paul Wouters wrote:
No, they just connect to the bogus largebank.com and steal more then
your gross
turnover....
Ummm, psst, most banks here are bankrupt. ;)
I am tempted to lean towards using a KSK in an HSM, and using the ZSK without
I had the same thought at one point. But...
As far as an HSM as one way to cover my bases in the event of
litigation, that goes without question - especially when
hypothetically speaking. But pragmatically speaking, I haven't seen
a "proof" I need an HSM.
Yes, I could use some stress in my life, I hear it's a good way to lose weight.
At 13:59 -0400 4/21/09, Paul Wouters wrote:
Then you put your vulnerability period during emergency key rollover in the
hands of the RRSIG lifetime of the parent. That lifetime is probably even
longer then the time for the attack(er) to make it to CNN's broadcast that
hopefully warns your custmers.
The problem with revocation in DNSSEC is not limited to issues
impacted by the choice whether to use an HSM. E.g., if the HSM uses
a key that some one else guesses, you have the same problem whether
you used an HSM or not. (I guess I suppose it's possible to have key
dictionary attacks, for example.)
But I suppose that's far flung - I would hope an HSM does a good job
at randomn number generation.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Getting everything you want is easy if you don't want much.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
