<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#333333" bgcolor="#ffffff">
<br>
<br>
On Tuesday 05 June 2012 09:17 PM, David Conrad wrote:
<blockquote
cite="mid:B7BB47BD-F1F5-40FD-A295-4FFB4D19F596@virtualized.org"
type="cite">
<pre wrap="">Ignoring that, there are technical issues relating to the size of signatures that make supporting multiple keys as you suggest quite challenging. Revising DNSSEC to add this capability would likely be quite expensive and I suspect the cost/benefit analysis would imply it would be difficult to get the technical community to revise the specifications, update implementations, and deploy the new code, particularly as all that effort would need to be done to address a non-technical consideration that most in the technical community would view (rightly or wrongly) as political window dressing.
</pre>
<br>
</blockquote>
<br>
That exactly is why technical standards development and CIR requires
political oversight. How can, what you call as, the 'technical
community' decide that such a matter of utmost importance to people and
countries outside the US is simply 'political window dressing'. It is
ridiculous. And whose cost/benefit analysis is it? Who decides the
social and political costs and benefits? Whose political and social
interests does this 'technical community', which thinks as you say it
thinks, represent. If they think they are experts in technical matters,
can they, by a similar logic, allow the possibilities that others may
know more than them about social, economic, cultural and political
matters, and the corresponding costs and benefits.<br>
<br>
This is a misuse of 'technical power' which really is no technical
power, it is real economic, social and political power masquerading as
technical power, hiding behind technical people and the so called
'technical community' in order to gain some legitimacy, or rather to
avoid the blame of
illegitimacy.<br>
<br>
And if it is just 'political window dressing' why was the US gov so
interested in asserting that the current DNSSEC model is what it wants,
and none of the possible alternatives. And why does US gov want the
IANA
manager to contractually agree that US gov will decide on the chief
security officer for this function... Does this look like matters that
can be called 'political window dressing'.<br>
<br>
<blockquote
cite="mid:B7BB47BD-F1F5-40FD-A295-4FFB4D19F596@virtualized.org"
type="cite">
<pre wrap="">However, I might suggest the focus on DNSSEC in this regard is misplaced. As mentioned in a previous note, DNSSEC merely provides the capability to verify that a DNS response hasn't been modified from the point at which the data was signed by the private key holder to the point where it was validated (typically by ISPs). The data first must be created before it can be signed. Once signed it still must be published. Even if the US were to go "rogue", root servers and caches outside the US would hold the pre-rogue root zone and it would be straightforward (technically at least) for a new signing facility to be established in Geneva, Beijing, or wherever else is felt to be more trustworthy. </pre>
</blockquote>
<br>
This suggestion is like beginning to set up a fire department when the
house is on fire. Actors dont go wholesale rogue in the manner you
picture it, neither is such a radical from-the-scratch response
possible in the real world. This is a bit of a technical construction
of the problem and its solution. Actors go rogue in stages, carefully,
for their rogue-ness to be sustainable. As US has been going rogue on
IP related international domain seizures, (and attempting to formalise
it through SOPA), as in the attempt at 'Internet Kill Switch'
legislation, as evident with ACTA, with use of Stuxnet and flame,
formalising un-disclosed security relationships with google, facebook,
twitter etc, with software companies...... What is your criterion for
declaring US gone rogue? And the drastic one time solution you suggest
- when the going-rogue event has taken place - accordingly doesnt
happen. The powerful actor going rogue is too smart for that. (This is
also the simple reason why UG gov's NTIA acts as it does, often looking
so much better to the global audience than many other US gov arms.) At
no point it does anything that makes the cost/ benefit equation for
other powerful players such as to go for really drastic steps, and thus
dominant power gets accepted and established.... Simple socio-political
insights. No rocket science really. <br>
<br>
parminder <br>
<br>
<br>
<br>
<blockquote
cite="mid:B7BB47BD-F1F5-40FD-A295-4FFB4D19F596@virtualized.org"
type="cite">
<pre wrap=""> The real problems are in how the data to be signed are created, edited, distributed, and published.
Regards,
-drc
</pre>
</blockquote>
</body>
</html>