Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

[Doug Barton <dougb () dougbarton us>]

On 09/08/2013 02:25 AM, Eugen Leitl wrote:
> ----- Forwarded message from Gregory Perry <Gregory.Perry () govirtual tv> -----
>
> Date: Sat, 7 Sep 2013 21:14:47 +0000
> From: Gregory Perry <Gregory.Perry () govirtual tv>
> To: Phillip Hallam-Baker <hallam () gmail com>
> Cc: "cryptography () metzdowd com" <cryptography () metzdowd com>, ianG <iang () iang org>
> Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
>
> On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote:
>
> Good theory only the CA industry tried very hard to deploy and was prevented from doing so because Randy Bush abused 
> his position as DNSEXT chair to prevent modification of the spec to meet the deployment requirements in .com.
>
> DNSSEC would have deployed in 2003 with the DNS ATLAS upgrade had the IETF followed the clear consensus of the DNSEXT 
> working group and approved the OPT-IN proposal. The code was written and ready to deploy.
>
> I told the IESG and the IAB that the VeriSign position was no bluff and that if OPT-IN did not get approved there would 
> be no deployment in .com. A business is not going to spend $100million on deployment of a feature that has no proven 
> market demand when the same job can be done for $5 million with only minor changes.

I was also there in 2003, and for a long time before that, and was also 
one of the voices that was saying that we needed opt-in, and protection 
from zone walking, or else the thing wouldn't fly. I don't recall that 
any 1 person was the reason those things didn't happen sooner than they 
did; in fact I recall near-universal sentiment that zone walking was a 
non-issue, and that opt-in defeated the very nature of what DNSSEC was 
trying to accomplish.

Fast forward to my time at IANA in 2004 and after considerable behind 
the scenes organization a coalition of TLD registries came forward and 
said that they would not deploy DNSSEC without those 2 features, and 
were willing to dedicate the resources to create them. So it was not 1 
person who stopped DNSSEC deployment, and it wasn't 1 person who made it 
happen.

Your larger point about fiefdoms and oligarchies in the IETF is, 
however, tragically accurate. The blindness of the DNSSEC literati to 
the real-world needs was a huge part of what caused the delay in 
deployment on the authoritative side, and the malaise caused by the 
decade+ of fighting to get it out the door is a big contributor to 
what's preventing any real solution to the last mile problem (which is 
what it takes to make DNSSEC really useful).

Doug