From eugen@leitl.org Mon Sep 9 04:58:08 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" Date: Mon, 09 Sep 2013 10:58:06 +0200 Message-ID: <20130909085805.GJ10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2750512216354649126==" --===============2750512216354649126== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from Doug Barton ----- Date: Sun, 08 Sep 2013 15:44:05 -0700 From: Doug Barton To: nanog(a)nanog.org Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbi= rd/17.0.8 On 09/08/2013 02:25 AM, Eugen Leitl wrote: > ----- Forwarded message from Gregory Perry -= ---- >=20 > Date: Sat, 7 Sep 2013 21:14:47 +0000 > From: Gregory Perry > To: Phillip Hallam-Baker > Cc: "cryptography(a)metzdowd.com" , ianG > Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" >=20 > On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote: >=20 > Good theory only the CA industry tried very hard to deploy and was prevente= d from doing so because Randy Bush abused his position as DNSEXT chair to pre= vent modification of the spec to meet the deployment requirements in .com. >=20 > DNSSEC would have deployed in 2003 with the DNS ATLAS upgrade had the IETF = followed the clear consensus of the DNSEXT working group and approved the OPT= -IN proposal. The code was written and ready to deploy. >=20 > I told the IESG and the IAB that the VeriSign position was no bluff and tha= t if OPT-IN did not get approved there would be no deployment in .com. A busi= ness is not going to spend $100million on deployment of a feature that has no= proven market demand when the same job can be done for $5 million with only = minor changes. I was also there in 2003, and for a long time before that, and was also one of the voices that was saying that we needed opt-in, and protection from zone walking, or else the thing wouldn't fly. I don't recall that any 1 person was the reason those things didn't happen sooner than they did; in fact I recall near-universal sentiment that zone walking was a non-issue, and that opt-in defeated the very nature of what DNSSEC was trying to accomplish. Fast forward to my time at IANA in 2004 and after considerable behind the scenes organization a coalition of TLD registries came forward and said that they would not deploy DNSSEC without those 2 features, and were willing to dedicate the resources to create them. So it was not 1 person who stopped DNSSEC deployment, and it wasn't 1 person who made it happen. Your larger point about fiefdoms and oligarchies in the IETF is, however, tragically accurate. The blindness of the DNSSEC literati to the real-world needs was a huge part of what caused the delay in deployment on the authoritative side, and the malaise caused by the decade+ of fighting to get it out the door is a big contributor to what's preventing any real solution to the last mile problem (which is what it takes to make DNSSEC really useful). Doug ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============2750512216354649126==--