At 5:36 PM +0200 8/20/08, Florian Weimer wrote:
* Masataka Ohta:
Now, I'm saying, for these 10 years, that PKI, including DNSSEC,
is broken.
Can't you simply believe me?
No, because DNSSEC, as it will be deployed, is not a PKI.
Masataka is right that PKI as it is widely used (PKIX) is broken.
Florian is right that DNSSEC as it stands today is not PKI. The trust
model in DNSSEC is completely parallel to the data model. In the PKIX
world, it is bolted on to the side in a way that often surprises
users.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop