Paul Vixie wrote: > that depends on the problem statement, really. if the problem statement is > "how can we secure hop-by-hop" then there are other solutions on the table > right now besides DNSSEC.
Wrong. PKI, including DNSSEC, does require hop-by-hop security between CAs, which is no different from hop-by-hop security between ISPs. Note that, at least in Japan, both ISPs and CAs are leagally required to be secure, which has nothing to do with cryptographic security. > my chosen problem statement is "how can we secure end-to-end" And the answer is "by sharing security information directly by both ends", which is not the case with PKI where security information is shared (or confirmed) hop-by-hop through multiple third party CAs. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop