[dnssec-deployment] Filling the IANA ITAR
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Oct 28 15:47:56 EDT 2009
On Wed, Oct 28, 2009 at 03:26:16PM -0400, Andrew Sullivan wrote:
> On Wed, Oct 28, 2009 at 12:10:43PM +0000, bmanning at vacation.karoshi.com wrote:
> > This last leads me to beleive that there will be a raft of inconsistencies
> > as folks forget to pull old data out of the ITAR - or to scrub those DLV registries
> > that import form the ITAR.
>
> And on another list, I will note, there has been some reluctance to
> accept the notion of ANY trust-path match. Just sayin'.
:)
part of my point is that no matter how a DS gets out, it will
be stuffed into some keystore or other and the DS owner has no
idea who has a copy or where those copies will end up.
I am not naive enoguh to think we can actually build an operational
system based on a clean, single path.
wrt ANY trust-path, that seems like a way for -HISTORY to work..
building on previously known good materials to improve ones trust
state. Yes there are downgrade attacks, Yes there are ample chances
to circumvent the old exposed crypto...
BUT (and its a big one) there are known ways to build trust from
untrusted sources. and so I'd really like the option ot have
-some- refrant to old datum. (me likes the idea of ANY) the devil
is in the details.
>
> A
>
> --
> Andrew Sullivan
> ajs at shinkuro.com
> Shinkuro, Inc.
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
More information about the Dnssec-deployment
mailing list