On Thu, Mar 27, 2014 at 2:39 PM, Nicholas Weaver <nwea...@icsi.berkeley.edu> wrote: > > On Mar 27, 2014, at 11:18 AM, Christopher Morrow > <christopher.mor...@gmail.com> wrote: > >> On Thu, Mar 27, 2014 at 10:52 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: >>> Yes. If doing it for the DNS root key is too politically challenging, maybe >>> do it for one of the 1024-bit trust anchors in the browser root pile. >> >> why would this be politically sensitive? > > Because the browsers have already decided killing of 1024b CAs is a good > idea, and they could revoke just those CAs once someone breaks a 1024b > example, since the browser vendors have good experience in revoking bad CAs > already (queue DigiNotar...) > > > In contrast, DNSSEC seems mired in a 1024b swamp at the root, and when you > can use an old key (which you can for the root, since you can fake everything > up below that dynamically and fake NTP so that your bad key is still kosher), > breaking a root key really would be breaking DNSSEC.
that didn't answer the question really? Do you mean: "NTIA/ICANN (pick your place depending on day and worldview) would be upset that someone proved there are no pants on the emperor." I'm not sure that matters though? Just because you did it and published the result/example doesn't mean that this isn't already happening all over the net, right? I don't know that there's a reason to NOT do the experiment and publish, without some impetus, what's going to drive the change? given other priorities that exist and already have leadership attention... Why don't you just go do the experiment nick and let us know how it goes? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
