Thierry Moreau wrote:
That is, security of DNSSEC involves third parties and is not end
to end.
This is exactly like a chain of PKI CA's (replacing the path from bottom
to top of zone hierarchy):
Exactly the same with a compromised intermediate CA.
Exactly the same with a private key corresponding to the next
intermediate CA along the chain (i.e. the one certified by the
The paper of David Clark says PKI is not secure end to end.
Some tried to argue against by saying DNSSEC is so special that
it is secure end to end.
But, as you can observe, DNSSEC is no special and not secure end
to end.
I don't think any DNSSEC expert ever claimed differently.
I am the DNSSEC expert and see some people having a lot less
expertise than me says DNSSEC secure end to end.
They are incorrect or using different terminology on "end to end"
not acceptable to the Internet community.
Masataka Ohtqa
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf