[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
Edward Lewis
Ed.Lewis at neustar.biz
Wed May 21 17:44:12 UTC 2008
At 17:26 +0100 5/21/08, Tony Finch wrote:
>On Wed, 21 May 2008, Edward Lewis wrote:
>>
>> Assuming that the change of an address is a rare event, we measure
>> the the "mean time between events" in years (not months). This time
>> will likely be longer than the lifetime of any public key with the
>> importance of "protecting" the root zone or root hints.
>
>I'm not sure that's right. The lifetime of X.509 certificates embedded in
>browsers is very long - 25 years for Thawte, 30-40 years for Verisign,
>etc.
In that case, maybe there's a chance of leveraging that. But, tying
back to the suggestion of DNSSEC, DNSSEC doesn't use certificates.
Maybe the solution search space (to the problem of protecting the
root zone) has been too narrow, perhaps "serious" PKI armor is needed.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Never confuse activity with progress. Activity pays more.
More information about the dns-operations
mailing list