On Mar 27, 2014, at 11:18 AM, Christopher Morrow <christopher.mor...@gmail.com> wrote:
> On Thu, Mar 27, 2014 at 10:52 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: >> Yes. If doing it for the DNS root key is too politically challenging, maybe >> do it for one of the 1024-bit trust anchors in the browser root pile. > > why would this be politically sensitive? Because the browsers have already decided killing of 1024b CAs is a good idea, and they could revoke just those CAs once someone breaks a 1024b example, since the browser vendors have good experience in revoking bad CAs already (queue DigiNotar...) In contrast, DNSSEC seems mired in a 1024b swamp at the root, and when you can use an old key (which you can for the root, since you can fake everything up below that dynamically and fake NTP so that your bad key is still kosher), breaking a root key really would be breaking DNSSEC. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
