Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Masataka Ohta пишет:
But, the most serious defect of DNSSEC, or PKI in general, is that,
despite a lot of hypes, it is not cryptographically secure.
Social attacks on trusted third parties makes the parties
untrustworthy, which means PKI is merely socially or weakly
secure.

There are a lot of deficiencies in PKI, but at present time I can see no alternative for establishing trust in loosely connected and large systems. If there is one, please advise.
For security of interdomain routing, social security of trust
relationship between ISPs is just enough to which additional
social security by PKI is not helpful.
There are no trust relationships between my ISP and your ISP.
How my ISP can trust routing announce, which I have got over the network and which has your ISP mentioned as the origin?

For security of DNS, social security of trust relationship between
ISPs and between zones are just enough to which additional social
security by PKI is not helpful.

Same question applies to DNS. My resolver have no trust relationships with your server.
How I can trust DNS-answer which I have got over the network?

Unfortunately, Internet 20 years ago and Internet today are two significantly different networks.

20 years ago I trusted to nearly all network participants and undoubtedly trusted to all network administrators.

Now, the necessity to build the chains of trust is obvious, otherwise you will lose a lot. The methods, which are being implemented are definitely not ideal (I knew a lot of flaws and weaknesses in systems, which are using PKI), but at the same time I do not know anything better.


dol@



						Masataka Ohta



_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]