Patrik Fältström wrote: Patrick, I strongly support yuor's and Jim's efforts to get consensuson our statement. I don't even comment Doug's reply on dns-wg proposed statement - I simply can't accept his proposals. Regarding your points:(not your personally - just a comments): 1.We (here I am Russian) can't accept any scheme where we should sign something under USG legislation(it is enough easy - if we have no trust - what's meaning for digital signature - any questions?) - It does means that we don't need secure network. 2. We will have a great problem to use any foreign cryptography - but it seems it can be solved on the same approach as biometrics passports today. 3. It is clear that in current situation we will have more chances to find a common solution as it will be more flexible and will reflect current reality. 4. Raising issue on DNSSEC practically destroyed current status de-facto! system of DNS root legitimacy - imho it was the greatest mistake (if someone can understand - drop me personal message - I don't want to be a flamer). Dima without any hats = hope you can understand me.
In Cairo, I was thinking of what we have written so far, and find that the conclusions people draw from the text we have so far is not consistent with what I think was said at the RIPE meeting in Dubai.
I will suggest text, but wanted to rise these two things asap:
- I did NOT hear at the RIPE meeting in Dubai any specific preference for either of IANA or Verisign as the holder of any keys. That said, I did hear some voices that felt "IANA is the natural trust anchor today for the DNS namespace, and because of that they should also hold the KSK". I did not hear any similar voice for Verisign.
- I have heard last week more voices that think one should look carefully at the whole chain of trust from the TLD via the root to the resolver. And point out the whole chain is important. This include at where/when the zone is signed. I hear some people saying it is good if the DS record passed from the TLD is signed as soon as possible (by the organisation that receive the DS, today IANA).
To let the rubber hit the road: These _technical_ arguments argue for a zone signing by the organisation receiving the DS, and therefore the ZSK should be held by that organisation. This imply further a move of the zone creation from Verisign to IANA.
So, I see the following alternatives being the dominant ones:
1. No change in the current structure. ZSK should be with Verisign as Verisign is zone creator. KSK stays also with Verisign so that KSK and ZSK are close to each other. Security of DS when moving DS from IANA to Verisign is unclear, and trust chain from IANA (that we trust for the root of the namespace) and the KSK that Verisign holds is unclear.
2. No change in the current structure. ZSK should be with Verisign as Verisign is zone creator. KSK held by IANA. Namespace root and KSK held by IANA, so trust chain is simple to see. Security of DS when moving DS from IANA to Verisign is unclear.
3. Zone signing is with IANA, so IANA send signed records to Verisign. This imply a change in the current structure as more than the record changed is sent to Verisign (also NSEC etc). ZSK should be with IANA. KSK held by IANA. Namespace root and KSK held by IANA, so trust chain is simple to see. Security of DS is clear as it is signed when received by IANA.
Then on top of this, we could have alternatives like whether the "control over the keys" should be via some multiple-password systems like suggested by Verisign, or split-key, or whether the community can "simply" trust whoever is going to hold the keys (via open key ceremonies etc).
I think my question is, should reply from RIPE list alternatives in a way similar to this (I do not claim the above is perfect), so that it is easier for "whoever make the decision" can count plusses and minuses from their point of view? Something I think should be possible already with the current list of bullets, if one just make some of the points more clear and down to earth and not so much hand waving.
Patrik