Re: DNS over SCTP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNS over SCTP
In message <4A20539E.3070005 at necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Paul Wouters wrote:
>
> > DNSSEC involves no certificates and no certificate authorities. You know
> > this.
>
> As is documented in the paper of David Clark;
>
> http://portal.acm.org/citation.cfm?doid=383034.383037
> These certificates are principal components of essentially all
> public key schemes, except those that are so small in scale that
> the users can communicate their public keys to each other one to
> one, in an ad hoc way that is mutually trustworthy.
>
> certificates are principal components of DNSSEC, a large scale
> public key scheme.
>
> Not calling intermediate certificates between zones certificates
> does not change the reality that DNSSEC involves certificates.
>
> >> Though there seems to be some confusion that DNSSEC security were
> >> end to end
>
> > It is.
>
> See the paper above to see why DNSSEC is NOT end to end.
>
> Of cource, you may argue against David Clark, but, do so with
> reasons.
In a general PKI you need a third party to validated the
name to certificate mapping because there is not natual
method to do this.
With DNSSEC the naming authority is the introducing authority.
This is where DNSSEC differs from a general PKI infrastucture.
This is also what make DNSSEC a better as a PKI for domain names.
Mark
> Masataka Ohta
>
> _______________________________________________
> Ietf mailing list
> Ietf at ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
Note Well: Messages sent to this mailing list are the opinions
of the senders and do not imply endorsement by the IETF.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
