[146811] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Sun Sep 8 11:52:53 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <201309080150.r881o6qK027453@new.toad.com>
Date: Sun, 8 Sep 2013 08:40:38 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: John Gilmore <gnu@toad.com>
Cc: Ray Dillinger <bear@sonic.net>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5303876874784098849==
Content-Type: multipart/alternative; boundary=001a11c29b442d36c804e5de94d9
--001a11c29b442d36c804e5de94d9
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore <gnu@toad.com> wrote:
> > >> First, DNSSEC does not provide confidentiality. Given that, it's not
> > >> clear to me why the NSA would try to stop or slow its deployment.
>
> DNSSEC authenticates keys that can be used to bootstrap
> confidentiality. And it does so in a globally distributed, high
> performance, high reliability database that is still without peer in
> the world.
>
> It was never clear to me why DNSSEC took so long to deploy, though
> there was one major moment at an IETF in which a member of the IESG
> told me point blank that Jim Bidzos had made himself so hated that the
> IETF would never approve a standard that required the use of the RSA
> algorithm -- even despite a signed blanket license for use of RSA for
> DNSSEC, and despite the expiration of the patent. I
No, that part is untrue. I sat at the table with Jeff Schiller and Burt
Kaliski when Burt pitched S/MIME at the IETF. He was Chief Scientist of RSA
Labs at the time.
Jim did go after Phil Z. over PGP initially. But Phil Z. was violating the
patent at the time. That led to RSAREF and the MIT version of PGP.
DNSSEC was (and is) a mess as a standard because it is an attempt to
retrofit a directory designed around some very tight network constraints
and with a very poor architecture to make it into a PKI.
PS: My long-standing domain registrar (enom.com) STILL doesn't support
> DNSSEC records -- which is why toad.com doesn't have DNSSEC
> protection. Can anybody recommend a good, cheap, reliable domain
> registrar who DOES update their software to support standards from ten
> years ago?
The Registrars are pure marketing operations. Other than GoDaddy which
implemented DNSSEC because they are trying to sell the business and more
tech looks kewl during due diligence, there is not a market demand for
DNSSEC.
One problem is that the Registrars almost invariably sell DNS registrations
at cost or at a loss and make the money up on value added products. In
particular SSL certificates.
--
Website: http://hallambaker.com/
--001a11c29b442d36c804e5de94d9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore <span dir=3D"ltr"><=
<a href=3D"mailto:gnu@toad.com" target=3D"_blank">gnu@toad.com</a>></spa=
n> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">> >> First, DNSSE=
C does not provide confidentiality. =A0Given that, it's not<br>
> >> clear to me why the NSA would try to stop or slow its deploym=
ent.<br>
<br>
</div>DNSSEC authenticates keys that can be used to bootstrap<br>
confidentiality. =A0And it does so in a globally distributed, high<br>
performance, high reliability database that is still without peer in<br>
the world.<br>
<br>
It was never clear to me why DNSSEC took so long to deploy, though<br>
there was one major moment at an IETF in which a member of the IESG<br>
told me point blank that Jim Bidzos had made himself so hated that the<br>
IETF would never approve a standard that required the use of the RSA<br>
algorithm -- even despite a signed blanket license for use of RSA for<br>
DNSSEC, and despite the expiration of the patent. =A0I</blockquote><div><br=
></div><div>No, that part is untrue. I sat at the table with Jeff Schiller =
and Burt Kaliski when Burt pitched S/MIME at the IETF. He was Chief Scienti=
st of RSA Labs at the time.</div>
<div><br></div><div>Jim did go after Phil Z. over PGP initially. But Phil Z=
. was violating the patent at the time. That led to RSAREF and the MIT vers=
ion of PGP.=A0</div><div><br></div><div><br></div><div>DNSSEC was (and is) =
a mess as a standard because it is an attempt to retrofit a directory desig=
ned around some very tight network constraints and with a very poor archite=
cture to make it into a PKI.</div>
<div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex">
PS: My long-standing domain registrar (<a href=3D"http://enom.com" target=
=3D"_blank">enom.com</a>) STILL doesn't support<br>
DNSSEC records -- which is why <a href=3D"http://toad.com" target=3D"_blank=
">toad.com</a> doesn't have DNSSEC<br>
protection. =A0Can anybody recommend a good, cheap, reliable domain<br>
registrar who DOES update their software to support standards from ten<br>
years ago?</blockquote></div><div><br></div><div>The Registrars are pure ma=
rketing operations. Other than GoDaddy which implemented DNSSEC because the=
y are trying to sell the business and more tech looks kewl during due dilig=
ence, there is not a market demand for DNSSEC.</div>
<div><br></div><div>One problem is that the Registrars almost invariably se=
ll DNS registrations at cost or at a loss and make the money up on value ad=
ded products. In particular SSL certificates.</div><div><br></div><div>
<br></div>-- <br>Website: <a href=3D"http://hallambaker.com/">http://hallam=
baker.com/</a><br>
</div></div>
--001a11c29b442d36c804e5de94d9--
--===============5303876874784098849==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5303876874784098849==--
