At 10:54 AM +0900 7/10/07, Masataka Ohta wrote:
...
Stephen Kent wrote:
> The notion of CA compromise and ISP comprise are not completely
> comparable, which makes your comparison suspect.
As I already mentioned, social attacks on employees of CAs and
ISPs are equally easy and readily comparable.
the attacks may be comparable but not all of the effects are the
same.
> Also, the security implications of errors (or sloppiness) by ISPs is
> very different from that of CAs, so I don't think your comparison makes
> sense in that regard as well.
Given the sloppiness of current DNS management, secure DNS CAs, which
is an PKI, will be no different from that of ISPs.
DNSSEC is very analogous to a PKI in many respects, but it too is
not quite the same. A major difference is that the DNS hierarchy is
authoritative for the bindings it establishes, whereas the common,
trusted-third party CA model involves organization who are
authoritative for nothing.
It hard for you to recognize that most, if not all, of the effort
of IETF security area has been wasted in vain.
As opposed to wasting efforts constructively?
But that's the
reality.
Masataka Ohta
It's so generous of you to provide the rest of us with your
wisdom with regard to the reality of security. I'm not sure we are
deserving, and so maybe it would be fairer to not share so much.
Steve
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf