On 3 Oct 2010, at 02:49, Marsh Ray <ma...@extendedsubset.com> wrote: > > In the meantime, we'd end up with the DNS root effectively having the power > of yet another CA. Except that it's not, because the various arms of ICANN > and VeriSign/Symantec are probably already trusted many times over.
I agree with your points about the difficulty of rolling out DNSSEC key assurance and its coexistence with PKIX. But the above is a bit off-base, because the DNS has a lot of structural constraints that make it weaker than a CA. Although in theory the root zone operators could steal any arbitrary name, the organisational checks and balances prevent that. CAs have no significant external checks and balances. For example they don't have the equivalent of whois that allows third parties to check who has been issued a certificate for a particular name. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
