[144978] in cryptography@c2.net mail archive
Re: Possibly questionable security decisions in DNS root management
daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Oct 22 10:05:34 2009
To: cryptography@metzdowd.com
From: Florian Weimer <fweimer@bfk.de>
Date: Wed, 21 Oct 2009 08:12:21 +0000
In-Reply-To: <20091019161526.GC11421@randombit.net> (Jack Lloyd's message of "Mon\, 19 Oct 2009 12\:15\:26 -0400")
* Jack Lloyd:
> On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
>
>> DSA was (designed to be) full of covert channels.
>
> True, but TCP and UDP are also full of covert channels.
And you better randomize some bits covered by RRSIGs on DS RRsets.
Directly signing data supplied by non-trusted source is quite risky.
(It turns out that the current signing schemes have not been designed
for this type of application, but the general crypto community is very
slow at realizing this discrepancy.)
--=20
Florian Weimer <fweimer@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
