On Wed, Oct 15, 2008 at 08:36:09AM -0700, Kim Davies wrote:
On 15/10/08 8:05 AM, "bmanning@vacation.karoshi.com" <bmanning@vacation.karoshi.com> wrote:
both ICANN and Verisign are claiming that placing all the zone creation, change and publication should be with the same organization that creates, hold and uses the digital signatures attesting to the integrity of the zone data.
in local parlance, this is the functional equivalence of the fox watching the hen house.
Sorry Bill, but I don't see how this analogy works at all. How does an uninvolved third party attest the integrity of the data in the root zone? In a DNSSEC-signed world, the ICANN/VeriSign/NTIA troika would presumably still be responsible for the content of the root zone.
thats ok, i said it was local. if you are not familiar with the roll of company/security auditors or the use of notory publics, then perhaps knowledge in that area would be helpful in understanding my concerns.
If we are talking about analogies, I want the md5sum or PGP signature testifying a software package is not tampered with to be generated as close as possible to when the author created the tar file, not by third parties after it had passed through multiple hands.
nothing stops VSGN from continuing to provide the MD5sum on the data it ships.
kim
--bill