[144950] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Possibly questionable security decisions in DNS root management

daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Oct 14 18:25:25 2009

From: "Perry E. Metzger" <perry@piermont.com>
To: cryptography@metzdowd.com
Date: Wed, 14 Oct 2009 18:24:06 -0400

Ekr has a very good blog posting on what seems like a bad security
decision being made by Verisign on management of the DNS root key.

http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html

In summary, a decision is being made to use a "short lived" 1024 bit key
for the signature because longer keys would result in excessively large
DNS packets. However, such short keys are very likely crackable in short
periods of time if the stakes are high enough -- and few keys in
existence are this valuable.

Perry
-- 
Perry E. Metzger		perry@piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[144950] in cryptography@c2.net mail archive

Possibly questionable security decisions in DNS root management

daemon@ATHENA.MIT.EDU (Perry E. Metzger)Wed Oct 14 18:25:25 2009

daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Oct 14 18:25:25 2009