On 17 Feb 2010, at 22:24, Masataka Ohta wrote:
Martin Rex wrote:
DNSsec, as far as I can see, does not use a PKI in the traditional
sense. There are _NO_ persons involved in the process,
FYI, zones are operated by people.
I can forge a key of your zone. I can, then, ask a person operating a
parent zone of yours to issue a valid signature over the forged key.
Yeah, but at least now we know the difference between the subversion of the
"Chain of trust" and some bloke with a packet sniffer. As soon as the
"Integrity" of the "Chain of trust" becomes obviously broken, for whatever
reason, it's totally within our power to do what we do now, and ignore it.
The point here is, we now have a way to verify the technical functions we
depend on today are working properly. It isn't about reputation or the trust
of any given person or entity, any more than it is now. I can *still* find
ingenious ways to bribe or subvert or otherwise make your registrar publish
records of my control and design that pertain to your domains, with or without
that verification function. Well, I could if I were sitting at the top with
lots of money and nothing else to do. But when the data we receive is
authentic from the intended, authenticated source, we have a chance to assign
our own trust policies as we see fit (and it may be, though I doubt it, that I
find the bloke with a packet sniffer a more reliable source than ICANN). The
utility of online banking and shopping, as certified by some sort of
certification authority about whom we know next to nothing, suggests that we
prefer some - any - degree of accountability, and the result of some CA being s
loppy has always (and will continue to be) grounds for distrust. And the same
has applied as well to webs of trust, like those of PGP, where some degree of
fuzzy logic is applied to make multiple vouches constitute more solid evidence
of "Trustworthiness". Single roots may present problems when there is no other
root, but never to the extent of being an unchallenged authority, and certainly
not to the degree that the Internet would experience an irreparable divide.
The problems only really show up when people get involved, and that's why
certification authorities are so rich.
Ietf mailing list