Web expert on his 'catastrophe' key for the internet

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Jul 28 18:55:47 UTC 2010

On Wed, 28 Jul 2010 09:24:57 PDT, "andrew.wallace" said:
> What I think is, this is leaving them wide open to attack. If an attack was 
> state-sponsored, its likely they would be able to stop those selected people 
> reaching the location in the United States by way of operational officers 
> intercepting them by kidnap or murder, and indeed, a cyber attack without the 
> need for human intervention to stop the select people getting to their 
> destination could be done by knocking out the air traffic system. Which would, 
> hamper the resetting and creation of new keys for DNSSEC. 

Movie-plot threat. 

Hint 1 - if you want to cause actual mischief, I'd start the merriment over at
gtld-servers.net rather than the actual root, or maybe even one more level down
at the actual TLD servers.  '.' is small enough that it can easily be
hand-verified if need be, but there's like 140M things under .com handled by
dozens of registries and registrars - even with DNSSEC, plenty of room for fun
and games. (What protection does DNSSEC grant you against a squatter who
snarfs up a domain name that's accidentally expired due to a billing issue?)

Hint 2 - What do the 5th and 6th fields on the '.' SOA entry mean, especially
in this context? In particular, what operational aspect does the specified 5th
value give us if we're contemplating this movie-plot scenario?

> Even without the select people being prevented from reaching their location in 
> the United States, the disclosure tells the bad guys, approximately how long an 
> attack window they've got between the selected people leaving their work or home 
> and travelling by plane to the location.

Bzzt! Wrong, but thank you for playing.

The bad guys *actual* window is between when the current root keys are lost/
compromised, and when the selected people *leave* to go to the selected
location.  Once you learn that the root key is compromised, you can take other
steps to mitigate damage (see hint 2 above).  When Paul Kane gets that phone
call that says he needs to take a plane trip, the window is *closing*, not

> It would have been better if the people who are the selected key holders was
> kept classified, a lot of the information given out wasn't in the public
> interest, or in the national interest for the arrangements to be made public.

Obviously you have approximately zero understanding of the crypto community.
They tend to be the most paranoid people out there - and the *only* way to get
acceptance of a signed root was to make sure that ICANN is *not* in posession
of enough keying material to sign a key by itself.  In addition, the owners of
keys need to be publicly known, to avoid allegations of "ICANN and a bunch
of unnamed people not associated with them. Honest - trust us".

In the crypto world, "trust us" is a fast path to Bruce Schneier's Doghouse.

> Of course this is just my opinion.

There's opinions, and opinions backed by operational experience.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100728/23518f42/attachment.sig>

More information about the NANOG mailing list