Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

People have been predicting that since before Adam Langley wrote "Why Not Dane In Browsers", and making excuses about the keys that are there. Nobody denies that a 1024 bit RSA key is less bad than an MD5 certificate; it's still quite bad, and, personally, I'd argue, the worst kind of bad --- the kind of flaw that motivates large capital and operational expenditures at intelligence agencies.


Even if every key below the root were 1024 bits, why would this be an argument against the concept of DNSSEC in general? DNSSEC keys can, by design, be rolled and replaced, and people will replace them as soon as they feel it is reasonably safe to do so.

The perfect is the enemy of the good. What is the intended result of advocating for choosing not to adopt DNSSEC? Is this intended result actually likely, or is it more like a boycott for the principle of the thing?


I don't think I can answer this any more effectively than I did in "Against DNSSEC", linked upthread. I'll just point out that the bad is also the enemy of the good.


A “bad” which is by design fixable as time passes, is much better than a theoretical “good” which is not currently commonly supported, and isn’t looking likely to be such any time soon.


I have no idea what you're trying to say here.


Are you saying that with the right amount of budget a 1024 RSA key can be broken today?


Yes, of course I am. I'd be repeating something Eran Tromer said 10 years ago.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: