Valdis, On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.
As far as I'm aware, as long as the KSK isn't compromised, changing the organization who holds the KSK simply means waiting until the next KSK rollover and have somebody else do the signing.
That's true if the ICANN KSK is signed *by some other entity* - that entity can then force a change by signing some *other* KSK for the next rollover.
If the ICANN key is self-signed as Tomas hypothesizes, then that leverage evaporates.
Except it doesn't work like that. As has been presented in numerous places (RIPE, ICANN, etc.), Richard Lamb has been working with the usual suspects (the Swedish DNSSEC mafia, NLNetLabs folks, Nominet folks, etc.) to come up with a secure, trustable, and accountable architecture for doing the signing. If a miracle happens and IANA were to be allowed to sign the root and then was told to give it to someone else, all that would need to be done would be for IANA staff to hand over the HSM, PIN codes and cards to someone else. Of course, part of the architecture is that there is more than one card and that someone other than IANA would hold the second card (i.e., the same sort of thing you see in US missle silos), but that's somewhat irrelevant to a discussion about how the "dysfunctional mess" would have its "authority" revoked. I suppose one could argue that ICANN could refuse to hand over the HSM, the PIN codes and cards, but given ICANN is a California- incorporated company providing the IANA functions under a contract with the US government, I somehow doubt ICANN would be in any position to refuse. Federal Marshals can be quite persuasive I'm told. Of course, all of this is academic since since I figure it is highly unlikely IANA will be permitted to sign the root. If anyone, my money is on VeriSign (you remember them...) but it may be some other Beltway Bandit as Paul suggests. Regards, -drc