ietf
[Top] [All Lists]

Re: IAB statement on the RPKI.

2010-02-17 17:12:23
On 17 Feb 2010, at 22:24, Masataka Ohta wrote:
Martin Rex wrote:
DNSsec, as far as I can see, does not use a PKI in the traditional
sense.  There are _NO_ persons involved in the process,

FYI, zones are operated by people.

I can forge a key of your zone. I can, then, ask a person operating a
parent zone of yours to issue a valid signature over the forged key.

Yeah, but at least now we know the difference between the subversion of the 
"Chain of trust" and some bloke with a packet sniffer.  As soon as the 
"Integrity" of the "Chain of trust" becomes obviously broken, for whatever 
reason, it's totally within our power to do what we do now, and ignore it.

The point here is, we now have a way to verify the technical functions we 
depend on today are working properly.  It isn't about reputation or the trust 
of any given person or entity, any more than it is now. I can *still* find 
ingenious ways to bribe or subvert or otherwise make your registrar publish 
records of my control and design that pertain to your domains, with or without 
that verification function.  Well, I could if I were sitting at the top with 
lots of money and nothing else to do.  But when the data we receive is 
authentic from the intended, authenticated source, we have a chance to assign 
our own trust policies as we see fit (and it may be, though I doubt it, that I 
find the bloke with a packet sniffer a more reliable source than ICANN).  The 
utility of online banking and shopping, as certified by some sort of 
certification authority about whom we know next to nothing, suggests that we 
prefer some - any - degree of accountability, and the result of some CA being s
 loppy has always (and will continue to be) grounds for distrust.  And the same 
has applied as well to webs of trust, like those of PGP, where some degree of 
fuzzy logic is applied to make multiple vouches constitute more solid evidence 
of "Trustworthiness".  Single roots may present problems when there is no other 
root, but never to the extent of being an unchallenged authority, and certainly 
not to the degree that the Internet would experience an irreparable divide.  
The problems only really show up when people get involved, and that's why 
certification authorities are so rich.

Cheers,
Sabahattin

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>