DNSSEC is NOT secure end to end

From: Masataka Ohta <mohta at necom830.hpcl.titech.ac.jp>
To: Mark Andrews <marka at isc.org>
Cc: ietf at ietf.org
Date: Sat, 30 May 2009 17:40:26 +0900
In-reply-to: <200905300009.n4U09s1d099694 at drugs.dv.isc.org>
References: <200905300009.n4U09s1d099694 at drugs.dv.isc.org>

Mark Andrews wrote:

> 	In a general PKI you need a third party to validated the
> 	name to certificate mapping because there is not natual
> 	method to do this.
> 
> 	With DNSSEC the naming authority is the introducing authority.

Read the paper.

Your attempt to modify the meaning of "the third party" does not
affect the following part of the paper and its consequences.

>>   http://portal.acm.org/citation.cfm?doid=383034.383037
>>   These certificates are principal components of essentially all
>>   public key schemes, except those that are so small in scale that
>>   the users can communicate their public keys to each other one to
>>   one, in an ad hoc way that is mutually trustworthy.

> 	This is where DNSSEC differs from a general PKI infrastucture.

Regardless of whether DNSSEC differs from a general PKI or not,
security of DNSSEC is not end to end.

						Masataka Ohta

References:
- Re: DNS over SCTP
  - From: Mark Andrews

Prev by Date: Re: Differing topics (was: IAOC Meeting location selection)
Next by Date: Fwd: [Unicode Announcement] New Public Review Issue #147: Proposed Deprecation of U+0673 ARABIC LETTER ALEF WITH WAVY HAMZA BELOW
Previous by thread: Re: DNS over SCTP
Next by thread: Re: DNS over SCTP
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

DNSSEC is NOT secure end to end

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.