Mark Andrews wrote: > In a general PKI you need a third party to validated the > name to certificate mapping because there is not natual > method to do this. > > With DNSSEC the naming authority is the introducing authority. Read the paper. Your attempt to modify the meaning of "the third party" does not affect the following part of the paper and its consequences. >> http://portal.acm.org/citation.cfm?doid=383034.383037 >> These certificates are principal components of essentially all >> public key schemes, except those that are so small in scale that >> the users can communicate their public keys to each other one to >> one, in an ad hoc way that is mutually trustworthy. > This is where DNSSEC differs from a general PKI infrastucture. Regardless of whether DNSSEC differs from a general PKI or not, security of DNSSEC is not end to end. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf