[dns-wg] Input from the ICANN meeting in Cairo
- Previous message (by thread): [dns-wg] Input from the ICANN meeting in Cairo
- Next message (by thread): [dns-wg] one more effort on the NTIA response
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dmitry Burkov
dburk at burkov.aha.ru
Sat Nov 8 21:17:44 CET 2008
Patrik Fältström wrote: Patrick, I strongly support yuor's and Jim's efforts to get consensuson our statement. I don't even comment Doug's reply on dns-wg proposed statement - I simply can't accept his proposals. Regarding your points:(not your personally - just a comments): 1.We (here I am Russian) can't accept any scheme where we should sign something under USG legislation(it is enough easy - if we have no trust - what's meaning for digital signature - any questions?) - It does means that we don't need secure network. 2. We will have a great problem to use any foreign cryptography - but it seems it can be solved on the same approach as biometrics passports today. 3. It is clear that in current situation we will have more chances to find a common solution as it will be more flexible and will reflect current reality. 4. Raising issue on DNSSEC practically destroyed current status de-facto! system of DNS root legitimacy - imho it was the greatest mistake (if someone can understand - drop me personal message - I don't want to be a flamer). Dima without any hats = hope you can understand me. > In Cairo, I was thinking of what we have written so far, and find that > the conclusions people draw from the text we have so far is not > consistent with what I think was said at the RIPE meeting in Dubai. > > I will suggest text, but wanted to rise these two things asap: > > - I did NOT hear at the RIPE meeting in Dubai any specific preference > for either of IANA or Verisign as the holder of any keys. That said, I > did hear some voices that felt "IANA is the natural trust anchor today > for the DNS namespace, and because of that they should also hold the > KSK". I did not hear any similar voice for Verisign. > > - I have heard last week more voices that think one should look > carefully at the whole chain of trust from the TLD via the root to the > resolver. And point out the whole chain is important. This include at > where/when the zone is signed. I hear some people saying it is good if > the DS record passed from the TLD is signed as soon as possible (by > the organisation that receive the DS, today IANA). > > To let the rubber hit the road: These _technical_ arguments argue for > a zone signing by the organisation receiving the DS, and therefore the > ZSK should be held by that organisation. This imply further a move of > the zone creation from Verisign to IANA. > > So, I see the following alternatives being the dominant ones: > > 1. No change in the current structure. ZSK should be with Verisign as > Verisign is zone creator. KSK stays also with Verisign so that KSK and > ZSK are close to each other. Security of DS when moving DS from IANA > to Verisign is unclear, and trust chain from IANA (that we trust for > the root of the namespace) and the KSK that Verisign holds is unclear. > > 2. No change in the current structure. ZSK should be with Verisign as > Verisign is zone creator. KSK held by IANA. Namespace root and KSK > held by IANA, so trust chain is simple to see. Security of DS when > moving DS from IANA to Verisign is unclear. > > 3. Zone signing is with IANA, so IANA send signed records to Verisign. > This imply a change in the current structure as more than the record > changed is sent to Verisign (also NSEC etc). ZSK should be with IANA. > KSK held by IANA. Namespace root and KSK held by IANA, so trust chain > is simple to see. Security of DS is clear as it is signed when > received by IANA. > > Then on top of this, we could have alternatives like whether the > "control over the keys" should be via some multiple-password systems > like suggested by Verisign, or split-key, or whether the community can > "simply" trust whoever is going to hold the keys (via open key > ceremonies etc). > > I think my question is, should reply from RIPE list alternatives in a > way similar to this (I do not claim the above is perfect), so that it > is easier for "whoever make the decision" can count plusses and > minuses from their point of view? Something I think should be possible > already with the current list of bullets, if one just make some of the > points more clear and down to earth and not so much hand waving. > > Patrik >
- Previous message (by thread): [dns-wg] Input from the ICANN meeting in Cairo
- Next message (by thread): [dns-wg] one more effort on the NTIA response
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]