[discuss] Having several trust anchors for DNSSEC (was Re: cgi.br release...)

Brian E Carpenter brian.e.carpenter at gmail.com
Wed Jan 15 19:25:26 UTC 2014


On 15/01/2014 23:53, S Moonesamy wrote:
> Hi Norbert,
> At 03:17 14-01-2014, Norbert Bollow wrote:
>> While the document is indeed old, what Brenden Kuerbis and Milton
>> Mueller proposed there --having several trust anchors for DNSSEC--
>> IMO still looks like a very good idea from today's perspective.
>>
>> I propose to include this in the agenda for the Sao Paulo meeting.
> 
> This is an individual comment.

So is this: It doesn't seem likely that there will be the necessary
people in Sao Paulo to discuss such a complex and technical point.
I would also observe that allowing the existence of a large number of
CAs as trust anchors in SSL/TLS space has been demonstrated to be
unsafe. To avoid this, you need to be very careful about who is allowed
to be a trust anchor and about the checks and balances to keep them
honest. It isn't obvious that having several will be politically
easier, or ultimately more trustworthy, than having one.

    Brian

> There is a message from Joe Abley at
> http://www.ietf.org/mail-archive/web/dnsop/current/msg10978.html  I hope
> that it provides a view of some of the considerations which were taken
> into account.  It would be easier to get a better view of the concerns
> if there is a document which takes new information which is publicly
> available into consideration.
> 
> It is not a good idea to diverge from established practice for ccTLDs,
> i.e. processing the changes requested by the ccTLDs.
> 
> Regards,
> S. Moonesamy
> 
> _______________________________________________
> discuss mailing list
> discuss at 1net.org
> http://1net.org/mailman/listinfo/discuss
> 



More information about the discuss mailing list