North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Exploit for DNS Cache Poisoning - RELEASED
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said: > On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote: >> The problem is, once the ICANNt root is self-signed, the hope of ever >> revoking that dysfunctional mess as authority is gone. > As far as I'm aware, as long as the KSK isn't compromised, changing > the organization who holds the KSK simply means waiting until the next > KSK rollover and have somebody else do the signing. That's true if the ICANN KSK is signed *by some other entity* - that entity can then force a change by signing some *other* KSK for the next rollover. If the ICANN key is self-signed as Tomas hypothesizes, then that leverage evaporates. If Attachment:
pgp00020.pgp
|