On 17 Feb 2010, at 22:24, Masataka Ohta wrote: > Martin Rex wrote: >> DNSsec, as far as I can see, does not use a PKI in the traditional >> sense. There are _NO_ persons involved in the process, > > FYI, zones are operated by people. > > I can forge a key of your zone. I can, then, ask a person operating a > parent zone of yours to issue a valid signature over the forged key. Yeah, but at least now we know the difference between the subversion of the "Chain of trust" and some bloke with a packet sniffer. As soon as the "Integrity" of the "Chain of trust" becomes obviously broken, for whatever reason, it's totally within our power to do what we do now, and ignore it. The point here is, we now have a way to verify the technical functions we depend on today are working properly. It isn't about reputation or the trust of any given person or entity, any more than it is now. I can *still* find ingenious ways to bribe or subvert or otherwise make your registrar publish records of my control and design that pertain to your domains, with or without that verification function. Well, I could if I were sitting at the top with lots of money and nothing else to do. But when the data we receive is authentic from the intended, authenticated source, we have a chance to assign our own trust policies as we see fit (and it may be, though I doubt it, that I find the bloke with a packet sniffer a more reliable source than ICANN). The utility of online banking and shopping, as certified by some sort of certification authority about whom we know next to nothing, suggests that we prefer some - any - degree of accountability, and the result of some CA being s loppy has always (and will continue to be) grounds for distrust. And the same has applied as well to webs of trust, like those of PGP, where some degree of fuzzy logic is applied to make multiple vouches constitute more solid evidence of "Trustworthiness". Single roots may present problems when there is no other root, but never to the extent of being an unchallenged authority, and certainly not to the degree that the Internet would experience an irreparable divide. The problems only really show up when people get involved, and that's why certification authorities are so rich. Cheers, Sabahattin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf