Re: IAB statement on the RPKI.
2010-02-18 00:50:59
Masataka Ohta пишет:
Basil Dolmatov wrote:
There are a lot of deficiencies in PKI, but at present time I can see no
alternative for establishing trust in loosely connected and large
systems. If there is one, please advise.
The problem of PKI is that its security socially depends on a loose
connection of a chain of adjacent CAs.
In other word, PKI, including DNSSEC, is not secure end to end.
As the chain is breakable at component CAs (trusted third parties are
not very trustable), there is no point to work unreasonably hard to
cryptographically strengthen links between adjacent CAs.
So, PKI is useless when there already are loose but reasonable
social security.
There are no trust relationships between my ISP and your ISP.
Your and my ISPs are loosely connected by a chain of social trust
relationships between adjacent ISPs, which is why we can exchange
packets over the Internet
Yes.
with reasonable security.
No. Without any security at all.
No garanties of delivery, no origin validation, no path validation, etc.
"social trust relationship" can arrange packet delivery but cannot
arrange any responsibility for proper delivery.
I as have said before the picture you are drawing reflects Internet 20
years ago, when all participants cooperated and worked on the benefit
of the network.
No _not_all_ participants have this paradigm in the network and the
share of those who do not participate in any "social trust
relationships" but simply use the network in the manner they feel good
for achieving their goals (sometimes criminal ones) is increasing
continuously.
Adjacent zones have reasonable social trust relationships between
them, through which network, your resolver and my server are
loosely connected with reasonable security.
With no security at all. Otherwise we would have never heard about
"cache poisoning".
dol@
P.S. Just to mention: I liked Internet 20 years ago much more and a bit
nostalgic about it.
|
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: IAB statement on the RPKI., (continued)
- Re: IAB statement on the RPKI., Basil Dolmatov
- Re: IAB statement on the RPKI., Martin Rex
- Re: IAB statement on the RPKI., Masataka Ohta
- Re: IAB statement on the RPKI.,
Basil Dolmatov <=
- Re: IAB statement on the RPKI., Masataka Ohta
- Re: IAB statement on the RPKI., David Conrad
- Re: IAB statement on the RPKI., Masataka Ohta
- Re: IAB statement on the RPKI., David Conrad
- Re: IAB statement on the RPKI., Masataka Ohta
- Re: IAB statement on the RPKI., Joe Baptista
- Re: IAB statement on the RPKI., Martin Rex
- Re: IAB statement on the RPKI., Masataka Ohta
- Re: IAB statement on the RPKI., Phillip Hallam-Baker
- Re: IAB statement on the RPKI., Phillip Hallam-Baker
|
|
|