ietf
[Top] [All Lists]

Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end

2009-06-15 20:11:05
These are assertions, not facts.

PKI is demonstrated to be effective in the reduction and management of
risk, that is what it is designed to do and that is how I define the
term 'security'.



On Fri, Jun 12, 2009 at 8:19 AM, Masataka
Ohta<mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:
Phillip Hallam-Baker wrote:

Trust roots have to be valid for at least a decade to be acceptable to
the application vendor community.

? ? ? ?That's a unproved assumption.

It is an observation backed by fifteen years of experience and direct
conversations with the principals for cryptographic security at the
major platform vendors.

PKI, including DNSSEC, is NOT secure cryptographically, but secure
socially or, in other word, weakly secure, subject to social and
other forms of attacks.

PKI, however, is not so insecure, in a sense that plain old DNS
(specified in 1987) is not so insecure and has been valid for
more than a decade to be acceptable to the application vendor
community.

That is the observed fact.

If the broken security model of bailiwick is thrown away,
plain old DNS is made secure enough.

Moreover, plain old DNS is a lot easier to manage than PKI.

                                               Masataka Ohta





-- 
-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>