> If you -really- want this > to work, you need to be able to trust what the DNS gives you. > > > --bill If (this is a BIG if): 1) this so called CAS system were implemented 2) DNS chose to use the CAS system to provide DNS server digital certificates 3) DNS servers would sign queries. I mean server signatures as in non-repudiation that the response originally came from the authorized DNS server. I'm trying to say that you could trust what DNS gives you. Of course, the trust is only as good as the protection of the private key and the technology providing PKI. I'm relying upon the reading I have done that simply states that a third party verified digital signature can provide nonrepudiation. I think the CAS system could be used to reliably establish the DNS "trust anchor" because CAS becomes the third party verifier between a DNS resolver and a requesting computer. Sounds like this is an uphill battle. I believe that a CAS system does have merit. Sal Salvatore Mangiapane _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf