On 28 Sep 2010, at 02:20, Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com>
wrote:
On Mon, Sep 27, 2010 at 10:48 AM, Tony Finch <dot(_at_)dotat(_dot_)at> wrote:
On Fri, 24 Sep 2010, Phillip Hallam-Baker wrote:
DNSSEC is a mechanism for establishing inter-domain trust. It is not an
appropriate technology for intra-domain trust.
Why not?
Because the root of trust for any enterprise is the enterprise itself. Not
ICANN.
DNSSEC does not require you to use only ICANN's trust anchor. You can also use
your enterprise trust anchor, so you can validate your enterprise DNS
independently of any third party.
(The keyassure work might make this approach to key distribution easier than
running an enterprise X.509 CA. DNSSEC also has the advantage of a defined
trust anchor rollover protocol.)
You can also use third party trust anchors such as the ISC's DLV.
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf