[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Eugen Leitl eugen at leitl.org
Mon Sep 9 01:58:06 PDT 2013 

----- Forwarded message from Doug Barton <dougb at dougbarton.us> -----

Date: Sun, 08 Sep 2013 15:44:05 -0700
From: Doug Barton <dougb at dougbarton.us>
To: nanog at nanog.org
Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

On 09/08/2013 02:25 AM, Eugen Leitl wrote:
> ----- Forwarded message from Gregory Perry <Gregory.Perry at govirtual.tv> -----
> 
> Date: Sat, 7 Sep 2013 21:14:47 +0000
> From: Gregory Perry <Gregory.Perry at govirtual.tv>
> To: Phillip Hallam-Baker <hallam at gmail.com>
> Cc: "cryptography at metzdowd.com" <cryptography at metzdowd.com>, ianG <iang at iang.org>
> Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
> 
> On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote:
> 
> Good theory only the CA industry tried very hard to deploy and was prevented from doing so because Randy Bush abused his position as DNSEXT chair to prevent modification of the spec to meet the deployment requirements in .com.
> 
> DNSSEC would have deployed in 2003 with the DNS ATLAS upgrade had the IETF followed the clear consensus of the DNSEXT working group and approved the OPT-IN proposal. The code was written and ready to deploy.
> 
> I told the IESG and the IAB that the VeriSign position was no bluff and that if OPT-IN did not get approved there would be no deployment in .com. A business is not going to spend $100million on deployment of a feature that has no proven market demand when the same job can be done for $5 million with only minor changes.

I was also there in 2003, and for a long time before that, and was
also one of the voices that was saying that we needed opt-in, and
protection from zone walking, or else the thing wouldn't fly. I don't
recall that any 1 person was the reason those things didn't happen
sooner than they did; in fact I recall near-universal sentiment that
zone walking was a non-issue, and that opt-in defeated the very nature
of what DNSSEC was trying to accomplish.

Fast forward to my time at IANA in 2004 and after considerable behind
the scenes organization a coalition of TLD registries came forward and
said that they would not deploy DNSSEC without those 2 features, and
were willing to dedicate the resources to create them. So it was not 1
person who stopped DNSSEC deployment, and it wasn't 1 person who made
it happen.

Your larger point about fiefdoms and oligarchies in the IETF is,
however, tragically accurate. The blindness of the DNSSEC literati to
the real-world needs was a huge part of what caused the delay in
deployment on the authoritative side, and the malaise caused by the
decade+ of fighting to get it out the door is a big contributor to
what's preventing any real solution to the last mile problem (which is
what it takes to make DNSSEC really useful).

Doug



----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the cypherpunks mailing list