% % > If you -really- want this % > to work, you need to be able to trust what the DNS gives you. % > % > % > --bill % % If (this is a BIG if): % % 1) this so called CAS system were implemented % 2) DNS chose to use the CAS system to provide DNS server digital % certificates % 3) DNS servers would sign queries. I mean server signatures as in % non-repudiation that the response originally came from the % authorized DNS server. % % I'm trying to say that you could trust what DNS gives you. Of course, % the trust is only as good as the protection of the private key and the % technology providing PKI. I'm relying upon the reading I have done % that simply states that a third party verified digital signature can % provide nonrepudiation. I think the CAS system could be used to % reliably establish the DNS "trust anchor" because CAS becomes the % third party verifier between a DNS resolver and a requesting computer. % % Sounds like this is an uphill battle. I believe that a CAS system % does have merit. % % Sal % Salvatore Mangiapane % please review the namedroppers archives, much of the operational DNSSEC workshop/presentation material <www.dnssec.net>. Further discussion should likely be on the pki & dns wg lists and not on the general IETF list. --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise). _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf