DNSO Archives: [ga]

ICANN/DNSO DNSO Mailling lists archives

[ga]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [ga] Secure DNS

To: ga@dnso.org
Subject: Re: [ga] Secure DNS
From: Kent Crispin <kent@songbird.com>
Date: Thu, 14 Sep 2000 12:43:27 -0700
In-Reply-To: <39C122A8.10462379@storm.ca>; from Sandy Harris on Thu, Sep 14, 2000 at 03:10:32PM -0400
Mail-Followup-To: ga@dnso.org
References: <39C122A8.10462379@storm.ca>
Sender: owner-ga@dnso.org

On Thu, Sep 14, 2000 at 03:10:32PM -0400, Sandy Harris wrote:
[...]
> One question is whether crypto export restrictions apply to this software.

No, they don't.  A specific exception was granted through the efforts of
John Gilmore.  I don't remember the details, but it was a cause for some
celebration. 

[...]

> If it seems useful, I'll volunteer to write a draft of such a statement. 

Not necessary.

> Another issue is that security is especially important for the root
> servers, the top level servers in ccTLDs, and other widely trusted
> servers. ICANN should start now (or have they already and I missed it?)

The discussions of this work mainly take place in the IETF, not ICANN. 
The dnsops WG is a good place to start.  There have been some 
interesting experiments -- for example, one of the ccTLDs signed the 
entire zone -- it took about a day.
[...]

> It appears likely we need an ICANN key and procedures for it to sign
> all TLD keys. Are those procedures worked out yet?

Once again, most of this stuff is handled in the ops area of the IETF.

> Still another issue is how to manage this so that the transition to
> secure DNS does not further subvert the net in the direction of
> commercial control of essential facilities.

Would you prefer commercial control (ie -- "the market") or 
government?  ICANN doesn't have any independent source of power by 
which it can exert control (neither the government nor the businesses 
involved are going to let an ICANN controlled by cyberanarchists have 
any control whatsoever.)

> With NSI having recently been bought by Verisign, there appears to be
> some risk that they might attempt to arrange things so that users
> could have secure DNS services only by buying Verisign certificates.
>
> The protocols do not require this, but their policies and procedures
> could attempt to enforce it.

You have identified what I consider to be perhaps the most serious long
term concern that faces us.  The consolidation of the CA market (eg, the
purchase of Thawte by Verisign) followed shortly thereafter by the
purchase of NSI, is a very troubling trend. 

> Methinks ICANN should make it quite clear now that this would be
> entirely unacceptable, lest a fait accompli appear.

You have a serious but very common misunderstanding about ICANN's role. 
Pronouncements by ICANN on this subject would be almost totally
ineffectual.  ICANN could just as well make it quite clear that further
conflict in the Middle East would be entirely unacceptable.  The effect
would be about the same. 

That is, yes, the concerns are real, but ICANN has no power to do
anything about it.  This battle will have to be fought elsewhere.

-- 
Kent Crispin                               "Do good, and you'll be
kent@songbird.com                           lonesome." -- Mark Twain
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html

Follow-Ups:
- Re: [ga] Secure DNS
  - From: Harald Alvestrand <Harald@Alvestrand.no>

References:
- [ga] Secure DNS
  - From: Sandy Harris <sandy@storm.ca>
- [ga] Secure DNS
  - From: Sandy Harris <sandy@storm.ca>

<<< Chronological Index >>> <<< Thread Index >>>