%
% > If you -really- want this
% > to work, you need to be able to trust what the DNS gives you.
% >
% >
% > --bill
%
% If (this is a BIG if):
%
% 1) this so called CAS system were implemented
% 2) DNS chose to use the CAS system to provide DNS server digital
% certificates
% 3) DNS servers would sign queries. I mean server signatures as in
% non-repudiation that the response originally came from the
% authorized DNS server.
%
% I'm trying to say that you could trust what DNS gives you. Of course,
% the trust is only as good as the protection of the private key and the
% technology providing PKI. I'm relying upon the reading I have done
% that simply states that a third party verified digital signature can
% provide nonrepudiation. I think the CAS system could be used to
% reliably establish the DNS "trust anchor" because CAS becomes the
% third party verifier between a DNS resolver and a requesting computer.
%
% Sounds like this is an uphill battle. I believe that a CAS system
% does have merit.
%
% Sal
% Salvatore Mangiapane
%
please review the namedroppers archives, much of the
operational DNSSEC workshop/presentation material
<www.dnssec.net>. Further discussion should likely
be on the pki & dns wg lists and not on the general IETF
list.
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf