Linked by Thom Holwerda on Fri 21st Jun 2013 19:08 UTC
Legal "Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency. The sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate." Woah.
Thread beginning with comment 565571
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[11]: Enough already
by Alfman on Tue 25th Jun 2013 03:19 UTC in reply to "RE[10]: Enough already"
Alfman
Member since:
2011-01-28

"It's multiple keys, a zone signing key and a key signing key, you can't get access to the key signing key without people finding out."

The keys I'm talking about are ICANN's root keys at http://data.iana.org/root-anchors/ "CN=ICANN Root CA"

The question was never whether you or I can get access to them, but whether the NSA could, and I don't think we're any closer to closure than when we started. Are you ok with leaving it as an open question? ;)

Reply Parent Score: 2

RE[12]: Enough already
by Lennie on Tue 25th Jun 2013 11:34 in reply to "RE[11]: Enough already"
Lennie Member since:
2007-09-22

They can't get undetected access to the root key signing key. They would need to create some kind of fake emergency.

The more likely thing would be that they might be able to get access to the device (HSM) that holds the keys for the zone-signing.

But every time they need to sign something they would need access to the device. That would be very inconvenient. I guess maybe they could send a zonefile by PGP signed email.

The most likely is they'd get cooperation of a TLD in similar fashion.

Sure we can leave it an open question if you don't want to discus it further.

Edited 2013-06-25 11:36 UTC

Reply Parent Score: 2

RE[13]: Enough already
by Alfman on Tue 25th Jun 2013 12:30 in reply to "RE[12]: Enough already"
Alfman Member since:
2011-01-28

Lennie,

"They can't get undetected access to the root key signing key. They would need to create some kind of fake emergency."

It may be true, or it may not be true, but you should realize that the actual truth is not dependent upon what either of us say. That's the thing about proving a spy agency has no knowledge of secrets. It's like proving there are no aliens in the universe; absence of positive proof isn't negative proof.

The fact that the US government is responsible for commissioning this is a concern because they arguably have a bigger motive and capability to plant "inside guys" and use bugged hardware. The official DNSSEC guidelines only excluded from key-holder candidacy employees from verisign, ICANN and US Commerce Department. They don't even claim to exclude NSA agents from the root keyholder position.


"Sure we can leave it an open question if you don't want to discus it further."

Yes I would like to leave it an open question, I don't think it's possible to *prove* otherwise.

Edited 2013-06-25 12:33 UTC

Reply Parent Score: 2