Verisign/NSI Security
Security and Stability Advisory Committee Recommendations
posted by michael on Tuesday September 23 2003, @05:45PM

Anonymous writes "The Security and Stability Advisory Committee has posted its initial review and recommendations regarding VeriSign's wildcard service. The article is here.

They basically echo what the IAB recommended earlier, that VeriSign should voluntarily suspend the SiteFinder/Wildcard stuff for the time being while the ramifications of such a configuration are explored, et al."


VeriSign Finally Responds to ICANN's Advisory | Why Verisign Isn't Worried  >

 
  ICANNWatch Login  
Nickname:

Password:

[ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

 
  Related Links  
· VeriSign/NSI
· ICANN
· here
· More Verisign/NSI stories
· Also by michael
 
Security and Stability Advisory Committee Recommendations | Log in/Create an Account | Top | 1 comments | Search Discussion
Click this button to post a comment to this story
The options below will change how the comments display
Threshold:
Check box to change your default comment view
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
We can "route around" Verisign
by odonnell (michael_odonnell@acm.org) on Wednesday September 24 2003, @12:14PM (#12295)
User #3447 Info | http://people.cs.uchicago.edu/~odonnell/

The DNS root zone, as supported by Verisign, bundles together two different services:

  1. Handle service: a handle is a token (not necessarily humanly readable or mnemonic) that can be owned by a user and reassigned to different IP numbers as that user migrates around the network;

  2. Name service: a name is a humanly meaningful token that resolves to an IP address.

DNS is currently the only handle service, which gives Verisign a sort of monopoly power. There are many different name services, including DNS, Yahoo, Google, which could compete more evenly if none of them were bundled with the only handle service.

We could deploy a handle service with almost no administrative burden, using current DNS software, at a lower level of the DNS hierarchy (perhaps a 3d level domain), providing meaningless numerical handles freely to all. Bob Frankston has described this idea in his dotDNS proposal: http://www.circleid.com/article/225_0_1_0_C. It only requires a stable institutional sponsor with a highly defensible domain name (e.g. nicesponsor.org), the technical oomph to run a name server at traffic levels similar to the alternate root servers, and the willingness to provide silly looking subdomains (e.g. 188828281282232.dns.nicesponsor.org) to all who request them.

If a handle service under dns.nicesponsor.org proves useful, it can migrate up to a higher level in DNS, and future software deployment can eventually treat it as a new root. Users can assign their own handles using public-key signatures and secure hashing, depending on the sponsor only for dissemination and not for authorization. In the meantime, dotDNS does not interfere at all with the current DNS. Nobody has to abandon her use of DNS while exploiting the alternative value of dotDNS.

It's time to just do this.

[ Reply to This | Parent ]


Search ICANNWatch.org:


Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
You can syndicate our headlines in .rdf, .rss, or .xml.