<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><div class="">On 17 Oct 2014, at 16:55, Warren Kumari <<a href="mailto:warren@kumari.net" class="">warren@kumari.net</a>> wrote:</div><div class=""><br class=""></div><blockquote type="cite" class=""><span style="font-family: Menlo-Regular; font-size: 11px;" class="">echo -n '. '; wget -q -O -</span><br class=""><div class=""><a href="https://data.iana.org/root-anchors/Kjqmt7v.crt" style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">https://data.iana.org/root-anchors/Kjqmt7v.crt</a><span style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class=""><span class="Apple-converted-space"> </span>| openssl x509 -text</span><br style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">-inform der| grep 'Subject:' | cut -d ' ' -f16- > root.anchor</span><br style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Now can I have a cookie?</span><br style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote><div><br class=""></div><div>You can if you can explain what your trust on the retrieved Kjqmt7v.crt file is based on, and how you came up with that filename. Also, I'm taking five points off your score for using wget instead of curl, but that's just because I'm unreasonable.</div><div><br class=""></div><div>Unless you skipped to the end, your trust in that certificate is based on trust in whatever CDN ICANN is using for <a href="http://data.iana.org" class="">data.iana.org</a> (which you don't know, don't pretend you looked) and the TLS (or, let's be pessimistic, SSLv3) that was negotiated between your wget and the CDN's servers. This doesn't smell very good to me, and I think we can aim higher.</div><br class=""><blockquote type="cite" class=""><div class=""><span style="font-family: Menlo-Regular; font-size: 11px;" class="">(Needlessly snotty, passive aggressive way of pointing out that the</span><br class=""><span style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">technique in the draft is simple enough that many folk may be doing</span><br style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">this without an "implementation")</span><br style="font-family: Menlo-Regular; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote><div><br class=""></div><div>The intention was that you would be able to find many certificates on <a href="http://data.iana.org" class="">data.iana.org</a>, and that you would keep looking until you found one with a valid signature chain back to a certificate you actually trust (e.g. a code-signing cert used for software updates, etc).</div><div><br class=""></div><div>The signature in the cert you retrieved was made by a proof-of-concept IANA CA which properly ought to be trusted by nobody. The PGP detached PGP and S/MIME signatures in that directory are similarly untrustworthy.</div><div><br class=""></div><div>What was envisaged was that DNSVendor, Inc. would make arrangements with ICANN to retrieve a trusted copy of the CSR containing the root zone trust anchor set and sign it according to their normal certificate management practices with a key that client software has a means to trust, and publish the resulting certificate on <a href="http://data.iana.org" class="">data.iana.org</a> along with similar certificates from NameVendor, Inc. and anybody else who has a need to distribute software to bootstrap trust in DNSSEC.</div><div><br class=""></div><div>This has been poorly communicated, or there is no interest, or there is some other reason why this has not happened.</div><div><br class=""></div><div><br class=""></div><div>Joe</div><div><br class=""></div></div></body></html>