Masataka Ohta wrote:
Martin Rex wrote:
DNSsec, as far as I can see, does not use a PKI in the traditional
sense. There are _NO_ persons involved in the process,
FYI, zones are operated by people.
That is missing the point.
From what I've seen, the whole architecture of DNSsec is based
on assertions of keys being authorized to sign keys being authorized
to sign RRs.
The blobs of data that are being used in the signatures look very
similar to "RSASSA-PKCS1-V1_5-SIGN" (PKCS#1 v1.5 signature scheme)
to me. If you look at rfc-2437 (PKCS#1 v2.0)
it does _NOT_ use the term "digital signature" anywhere throughout
that document, simply because there are no digital signature
described in that specification.
"digital signature" is a term that has been picked up and used
by legislators to describe things that are equivalents to
real/natural signatures that represent legal entities,
and where they attach legal liabilities and contractual obligations.
The things used in DNSsec are just "signatures", they are
definitely _NOT_ "digital signatures" in any legal sense.
And btw. the reason why dnssec-gost needs to be a MAY, and why the
IETF _standards_ ought to require all DNSsec-signed zones
to include signatures with a mandatory to implement algorithm
is described in BCP-61, Section 6 as "the Danvers Doctrine":
Ietf mailing list