On Wed, 28 Jul 2010 09:24:57 PDT, "andrew.wallace" said:
What I think is, this is leaving them wide open to attack. If an attack was state-sponsored, its likely they would be able to stop those selected people reaching the location in the United States by way of operational officers intercepting them by kidnap or murder, and indeed, a cyber attack without the need for human intervention to stop the select people getting to their destination could be done by knocking out the air traffic system. Which would, hamper the resetting and creation of new keys for DNSSEC.
Movie-plot threat. Hint 1 - if you want to cause actual mischief, I'd start the merriment over at gtld-servers.net rather than the actual root, or maybe even one more level down at the actual TLD servers. '.' is small enough that it can easily be hand-verified if need be, but there's like 140M things under .com handled by dozens of registries and registrars - even with DNSSEC, plenty of room for fun and games. (What protection does DNSSEC grant you against a squatter who snarfs up a domain name that's accidentally expired due to a billing issue?) Hint 2 - What do the 5th and 6th fields on the '.' SOA entry mean, especially in this context? In particular, what operational aspect does the specified 5th value give us if we're contemplating this movie-plot scenario?
Even without the select people being prevented from reaching their location in the United States, the disclosure tells the bad guys, approximately how long an attack window they've got between the selected people leaving their work or home and travelling by plane to the location.
Bzzt! Wrong, but thank you for playing. The bad guys *actual* window is between when the current root keys are lost/ compromised, and when the selected people *leave* to go to the selected location. Once you learn that the root key is compromised, you can take other steps to mitigate damage (see hint 2 above). When Paul Kane gets that phone call that says he needs to take a plane trip, the window is *closing*, not opening.
It would have been better if the people who are the selected key holders was kept classified, a lot of the information given out wasn't in the public interest, or in the national interest for the arrangements to be made public.
Obviously you have approximately zero understanding of the crypto community. They tend to be the most paranoid people out there - and the *only* way to get acceptance of a signed root was to make sure that ICANN is *not* in posession of enough keying material to sign a key by itself. In addition, the owners of keys need to be publicly known, to avoid allegations of "ICANN and a bunch of unnamed people not associated with them. Honest - trust us". In the crypto world, "trust us" is a fast path to Bruce Schneier's Doghouse.
Of course this is just my opinion.
There's opinions, and opinions backed by operational experience.