These are assertions, not facts. PKI is demonstrated to be effective in the reduction and management of risk, that is what it is designed to do and that is how I define the term 'security'. On Fri, Jun 12, 2009 at 8:19 AM, Masataka Ohta<mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > Phillip Hallam-Baker wrote: > >>>>Trust roots have to be valid for at least a decade to be acceptable to >>>>the application vendor community. >>> >>>? ? ? ?That's a unproved assumption. > >> It is an observation backed by fifteen years of experience and direct >> conversations with the principals for cryptographic security at the >> major platform vendors. > > PKI, including DNSSEC, is NOT secure cryptographically, but secure > socially or, in other word, weakly secure, subject to social and > other forms of attacks. > > PKI, however, is not so insecure, in a sense that plain old DNS > (specified in 1987) is not so insecure and has been valid for > more than a decade to be acceptable to the application vendor > community. > > That is the observed fact. > > If the broken security model of bailiwick is thrown away, > plain old DNS is made secure enough. > > Moreover, plain old DNS is a lot easier to manage than PKI. > > Masataka Ohta > > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf