Mark Andrews wrote:
In a general PKI you need a third party to validated the
name to certificate mapping because there is not natual
method to do this.
With DNSSEC the naming authority is the introducing authority.
Read the paper.
Your attempt to modify the meaning of "the third party" does not
affect the following part of the paper and its consequences.
http://portal.acm.org/citation.cfm?doid=383034.383037
These certificates are principal components of essentially all
public key schemes, except those that are so small in scale that
the users can communicate their public keys to each other one to
one, in an ad hoc way that is mutually trustworthy.
This is where DNSSEC differs from a general PKI infrastucture.
Regardless of whether DNSSEC differs from a general PKI or not,
security of DNSSEC is not end to end.
Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf