If you -really- want this
to work, you need to be able to trust what the DNS gives you.
--bill
If (this is a BIG if):
1) this so called CAS system were implemented
2) DNS chose to use the CAS system to provide DNS server digital
certificates
3) DNS servers would sign queries. I mean server signatures as in
non-repudiation that the response originally came from the
authorized DNS server.
I'm trying to say that you could trust what DNS gives you. Of course,
the trust is only as good as the protection of the private key and the
technology providing PKI. I'm relying upon the reading I have done
that simply states that a third party verified digital signature can
provide nonrepudiation. I think the CAS system could be used to
reliably establish the DNS "trust anchor" because CAS becomes the
third party verifier between a DNS resolver and a requesting computer.
Sounds like this is an uphill battle. I believe that a CAS system
does have merit.
Sal
Salvatore Mangiapane
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf