On 9/06/2011, at 11:23 PM, Ewen McNeill wrote:
PS: Peter Gutmann is of course completely right that even at 1280-bits the KSK is by no means the weakest point to compromise. Many other points would be much easier to compromise. Including, eg, injecting faked data via a less-secure registrar (as one of the SSL CAs was compromised recently). However the KSK bit size is on the sticker on the outside, and easily measurable, so is likely to be a point of comparison. Security of authorised registrars is much harder to quantify/police.
X.509 vendors have gone to extraordinary lengths to get people to look at the bit size as a sticker on the box and still nobody does. I can guarantee that nobody will look at the KSK size for the same reasons. This conversation is possibly the only discussion that will ever take place on this issue. The best result for DNSSEC is if it becomes ubiquitous, standard practice and just works. Any attempt at making it into something bigger than that will fade quickly - it simply is not high profile enough. regards Jay
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840