Paul Wouters wrote: > DNSSEC involves no certificates and no certificate authorities. You know > this. As is documented in the paper of David Clark; http://portal.acm.org/citation.cfm?doid=383034.383037 These certificates are principal components of essentially all public key schemes, except those that are so small in scale that the users can communicate their public keys to each other one to one, in an ad hoc way that is mutually trustworthy. certificates are principal components of DNSSEC, a large scale public key scheme. Not calling intermediate certificates between zones certificates does not change the reality that DNSSEC involves certificates. >> Though there seems to be some confusion that DNSSEC security were >> end to end > It is. See the paper above to see why DNSSEC is NOT end to end. Of cource, you may argue against David Clark, but, do so with reasons. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf