Christian Huitema wrote: > NAT routers come to mind. DNSSEC > is immune to such attacks, a big advantage in practice. I'm afraid DNSSEC and some NAT interact terribly. > Also, it is actually possible to improve on DNSSEC by introducing > additional knowledge. If two domains have an establish relation, > their servers can memorize the relevant public keys. If a host > has a relation with a domain, it can memorize that domain's > public key. This kind of "peer-to-peer" improvement makes the > domain-to-domain or host-to-domain DNSSEC service immune to > attacks by nodes higher in the hierarchy. Do you know that the paper particularly discusses on revocation? It is written in the paper that: It can happen that a user loses his private key (the value that goes with the given public key) through inadvertence or theft; alternatively, a user may become unworthy in some way relevant to the purpose for which the certificate has been issued. Under such circumstances, the certificate authority (third party) would want to revoke the certificate. How can this be known? Your "improvement" makes the entire system more complex only to introduce new difficulties for revocation. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf