Masataka Ohta пишет:
There are a lot of deficiencies in PKI, but at present time I can see no
alternative for establishing trust in loosely connected and large
systems. If there is one, please advise.
But, the most serious defect of DNSSEC, or PKI in general, is that,
despite a lot of hypes, it is not cryptographically secure.
Social attacks on trusted third parties makes the parties
untrustworthy, which means PKI is merely socially or weakly
For security of interdomain routing, social security of trust
relationship between ISPs is just enough to which additional
social security by PKI is not helpful.
There are no trust relationships between my ISP and your ISP.
How my ISP can trust routing announce, which I have got over the network
and which has your ISP mentioned as the origin?
Same question applies to DNS. My resolver have no trust relationships
with your server.
For security of DNS, social security of trust relationship between
ISPs and between zones are just enough to which additional social
security by PKI is not helpful.
How I can trust DNS-answer which I have got over the network?
Unfortunately, Internet 20 years ago and Internet today are two
significantly different networks.
20 years ago I trusted to nearly all network participants and
undoubtedly trusted to all network administrators.
Now, the necessity to build the chains of trust is obvious, otherwise
you will lose a lot. The methods, which are being implemented are
definitely not ideal (I knew a lot of flaws and weaknesses in systems,
which are using PKI), but at the same time I do not know anything better.
Ietf mailing list