Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Basil Dolmatov wrote:

> There are a lot of deficiencies in PKI, but at present time I can see no 
> alternative for establishing trust in loosely connected and large 
> systems. If there is one, please advise.

The problem of PKI is that its security socially depends on a loose
connection of a chain of adjacent CAs.

In other word, PKI, including DNSSEC, is not secure end to end.

As the chain is breakable at component CAs (trusted third parties are
not very trustable), there is no point to work unreasonably hard to
cryptographically strengthen links between adjacent CAs.

So, PKI is useless when there already are loose but reasonable
social security.

> There are no trust relationships between my ISP and your ISP.

Your and my ISPs are loosely connected by a chain of social trust
relationships between adjacent ISPs, which is why we can exchange
packets over the Internet with reasonable security.

> Additional loose connection by a PKI chain does not help.

> How my ISP can trust routing announce, which I have got over the network 
> and which has your ISP mentioned as the origin?

That should be an argument against PKIs.

How can you trust my CA, which you have got over a network of CAs?

Socially compromising a CA in the network is as easy as socially
compromising an ISP.

> Same question applies to DNS. My resolver have no trust relationships 
> with your server.

Adjacent zones have reasonable social trust relationships between
them, through which network, your resolver and my server are
loosely connected with reasonable security.

If you argue zones are not managed very securely, it means CAs of
PKI, a.k.a. zones of DNSSEC, are not managed very securely.

> How I can trust DNS-answer which I have got over the network?

How can you trust DNSSEC-answer which you have got over a network
of poorly managed CAs (zones)?

> Now, the necessity to build the chains of trust is obvious,

Unless the chains are not already there.

							Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]