wrt joao damas' DLV talk on wednesday

Randy Bush randy at psg.com
Tue Jun 13 21:49:40 UTC 2006


please reconcile

> no bank in its right mind, for example, would allow its identity
> to be held or represented by a middleman whose security policies
> weren't auditable.

with

> this is why we're trying to sign up some registrars, starting
> with alice's, who can send us blocks of keys based on their
> pre-existing trust relationships.

i think you might see why i am confused.  do you propose to audit
alice?  as rick says, this is unfortunately trivial, as the signed
registrations are zero <sigh>.

btw, i fully admit that i have not thought through a detailed
policy and process for a dlv registry.  then again, i am not
proposing to deploy one.  yep, criticism is cheap.  but then, i
have not charged much :-).

like some other technologies i'll not mention in this message,
dnssec has been a typical non-deployable ivtf mis-design by
committee for half the lifetime of the internet itself.  [ i left a
long trail of "this is badly broken.  someone should have listened
to masataka."  but have no idea if his 1/3 baked scheme would have
flown. ]  and i sympathize with your desire to get any useful
flight milage out of the disaster.  but, as this is a security
service, please register your flight plan.

randy




More information about the NANOG mailing list