[dns-wg] NTIA NoI: does anyone care?
bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Wed Oct 15 18:09:22 CEST 2008
On Wed, Oct 15, 2008 at 08:36:09AM -0700, Kim Davies wrote: > On 15/10/08 8:05 AM, "bmanning at vacation.karoshi.com" > <bmanning at vacation.karoshi.com> wrote: > > > > both ICANN and Verisign are claiming that placing all > > the zone creation, change and publication should be > > with the same organization that creates, hold and > > uses the digital signatures attesting to the integrity > > of the zone data. > > > > in local parlance, this is the functional equivalence > > of the fox watching the hen house. > > Sorry Bill, but I don't see how this analogy works at all. How does an > uninvolved third party attest the integrity of the data in the root zone? In > a DNSSEC-signed world, the ICANN/VeriSign/NTIA troika would presumably still > be responsible for the content of the root zone. thats ok, i said it was local. if you are not familiar with the roll of company/security auditors or the use of notory publics, then perhaps knowledge in that area would be helpful in understanding my concerns. > If we are talking about analogies, I want the md5sum or PGP signature > testifying a software package is not tampered with to be generated as close > as possible to when the author created the tar file, not by third parties > after it had passed through multiple hands. nothing stops VSGN from continuing to provide the MD5sum on the data it ships. > kim --bill
[ dns-wg Archives ]