On Tue, 2009-06-09 at 08:54 +0900, Masataka Ohta wrote:
DNSSEC provides two things. Firstly, it provides the means to
digitally
sign RRsets. This provides data origin authentication and data
integrity.
The provision is through hops of certificate authorities,
As I clearly stated, the actual signing is end to end, and if the
receiver has chosen to trust the explicit key used to sign, there is no
involvement of PKI. The presence of a valid digital signature is good
evidence that the data originated in that form from the owner of the
private key corresponding to the public key used for verification.
which is what is discussed in latter paper of David Clark published in
2001. Read it.
I have, and I cannot find any explicit sentence which uses the phrase
"hops of certificate authorities". Nor can I find any statement which
states anything to the effect "PKI is not end to end and is therefore
bad". If these are present, please point them out. He does state "Each
interaction is nominally ... but its robustness depends on the larger
context composed of the whole sequence."
It does state, in effect, "PKI is difficult" (particularly because of
the revocation problem) but that is well known. But it also gives me the
impression that it says that this kind of thing is necessary, because of
the trust issue on the modern Internet.
I'm not sure of the reason for your insisting that DNSSEC is not end to
end.
I must apologise to the Asrg list for continuing this discussion, which
seems to have just gone down a pointless semantic hole.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg