On Tue, 2009-06-09 at 08:54 +0900, Masataka Ohta wrote: > > DNSSEC provides two things. Firstly, it provides the means to > digitally > > sign RRsets. This provides data origin authentication and data > > integrity. > > The provision is through hops of certificate authorities, As I clearly stated, the actual signing is end to end, and if the receiver has chosen to trust the explicit key used to sign, there is no involvement of PKI. The presence of a valid digital signature is good evidence that the data originated in that form from the owner of the private key corresponding to the public key used for verification. > which is what is discussed in latter paper of David Clark published in > 2001. Read it. I have, and I cannot find any explicit sentence which uses the phrase "hops of certificate authorities". Nor can I find any statement which states anything to the effect "PKI is not end to end and is therefore bad". If these are present, please point them out. He does state "Each interaction is nominally ... but its robustness depends on the larger context composed of the whole sequence." It does state, in effect, "PKI is difficult" (particularly because of the revocation problem) but that is well known. But it also gives me the impression that it says that this kind of thing is necessary, because of the trust issue on the modern Internet. I'm not sure of the reason for your insisting that DNSSEC is not end to end. I must apologise to the Asrg list for continuing this discussion, which seems to have just gone down a pointless semantic hole. _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf