Paul Vixie wrote:
> that depends on the problem statement, really. if the problem statement is
> "how can we secure hop-by-hop" then there are other solutions on the table
> right now besides DNSSEC.
Wrong.
PKI, including DNSSEC, does require hop-by-hop security between CAs,
which is no different from hop-by-hop security between ISPs.
Note that, at least in Japan, both ISPs and CAs are leagally required
to be secure, which has nothing to do with cryptographic security.
> my chosen problem statement is "how can we secure end-to-end"
And the answer is "by sharing security information directly by both
ends", which is not the case with PKI where security information is
shared (or confirmed) hop-by-hop through multiple third party CAs.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
