On 2010-09-17, at 06:28, W.C.A. Wijngaards wrote: > * The URL that iana published in their description is: > https://data.iana.org/root-anchors/root-anchors.xml > * 'widely available trust certificates' to verify the https
We also specified - http:// URLs (no "s") - detached OpenPGP signatures - detached S/MIME signatures > Are you sure that we want to create a cross-dependency on the https > security for the DNS security? Per above, there are multiple alternatives. > This means the DNS and cert paths are no > longer different trust paths. And we should look at the attack vectors > here. If the root-key-prime fails, it is likely the machine will > initiate this update machinery right away. Assume a full MitM; say on a > middlebox; it can make the root-key-prime fail and intercept traffic to > that URL. Let's also assume that a trust anchor for the ICANN CA which is used to create the detached S/MIME signature, or the PGP public key which is used to create the OpenPGP signature has been incorporated in some sensible way into operating system and/or DNS software distribution. This ought to represent a usefully-different path of trust to allow the authenticity of trust anchors received from the repository to be verified. ICANN continues to offer to work directly with key software vendors to facilitate secure distribution of these trust points. We'll fly to your offices and hand them to you with signed attestations, if you want. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
