Christian Huitema wrote:
NAT routers come to mind. DNSSEC
is immune to such attacks, a big advantage in practice.
I'm afraid DNSSEC and some NAT interact terribly.
Also, it is actually possible to improve on DNSSEC by introducing
additional knowledge. If two domains have an establish relation,
their servers can memorize the relevant public keys. If a host
has a relation with a domain, it can memorize that domain's
public key. This kind of "peer-to-peer" improvement makes the
domain-to-domain or host-to-domain DNSSEC service immune to
attacks by nodes higher in the hierarchy.
Do you know that the paper particularly discusses on revocation?
It is written in the paper that:
It can happen that a user loses his private key (the value
that goes with the given public key) through inadvertence or
theft; alternatively, a user may become unworthy in some way
relevant to the purpose for which the certificate has been
issued. Under such circumstances, the certificate authority
(third party) would want to revoke the certificate. How can
this be known?
Your "improvement" makes the entire system more complex only to
introduce new difficulties for revocation.
Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf