At 10:54 AM +0900 7/10/07, Masataka Ohta wrote:
Stephen Kent wrote:
The notion of CA compromise and ISP comprise are not completely
comparable, which makes your comparison suspect.
As I already mentioned, social attacks on employees of CAs and
ISPs are equally easy and readily comparable.
the attacks may be comparable but not all of the effects are the same.
> Also, the security implications of errors (or sloppiness) by ISPs is
very different from that of CAs, so I don't think your comparison makes
sense in that regard as well.
Given the sloppiness of current DNS management, secure DNS CAs, which
is an PKI, will be no different from that of ISPs.
DNSSEC is very analogous to a PKI in many respects, but it too is not
quite the same. A major difference is that the DNS hierarchy is
authoritative for the bindings it establishes, whereas the common,
trusted-third party CA model involves organization who are
authoritative for nothing.
It hard for you to recognize that most, if not all, of the effort
of IETF security area has been wasted in vain.
As opposed to wasting efforts constructively?
But that's the
It's so generous of you to provide the rest of us with your wisdom
with regard to the reality of security. I'm not sure we are
deserving, and so maybe it would be fairer to not share so much.
Ietf mailing list