Francis Dupont wrote:
=> not only this is very arguable (for instance about the resource
exhaustion) but no hop-by-hop/channel security, even something as
strong as TSIG, can provide what we need, i.e., end-to-end/object
Unless your meaning of end-to-end differs from that of David Clark,
the following argument of his paper is applicable to DNSSEC.
Rethinking the design of the Internet:
The end to end arguments vs. the brave new world
The certificate is an assertion by that (presumably
trustworthy) third party that the indicated public key
actually goes with the particular user.
These certificates are principal components of essentially
all public key schemes,
That is, security of DNSSEC involves third parties and is not end
PS (*): I use the common meaning of end-to-end, not Masataka Ohta's one.
I'm afraid you don't know who David Clark is and how he is related
to the end to end argument.
However, all the people who are qualified to discuss end to end do
know him and his argument.
Ietf mailing list