On Jul 31, 2010, at 8:44 12AM, Peter Gutmann wrote: > Apparently the DNS root key is protected by what sounds like a five-of-seven > threshold scheme, but the description is a bit unclear. Does anyone know > more? > > (Oh, and for people who want to quibble over "practically-deployed", I'm not > aware of any real usage of threshold schemes for anything, at best you have > combine-two-key-components (usually via XOR), but no serious use of real n- > of-m that I've heard of. Mind you, one single use doesn't necessarily count > as "practically deployed" either).
There is circumstantial evidence that such schemes were deployed for U.S. nuclear weapons command and control. I also wonder if it's used for some of the NSA's root keys -- they run very large PKIs. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com