Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Masataka Ohta пишет: 
Basil Dolmatov wrote:

  
There are a lot of deficiencies in PKI, but at present time I can see no 
alternative for establishing trust in loosely connected and large 
systems. If there is one, please advise.
    

The problem of PKI is that its security socially depends on a loose
connection of a chain of adjacent CAs.

In other word, PKI, including DNSSEC, is not secure end to end.

As the chain is breakable at component CAs (trusted third parties are
not very trustable), there is no point to work unreasonably hard to
cryptographically strengthen links between adjacent CAs.

So, PKI is useless when there already are loose but reasonable
social security.

  
There are no trust relationships between my ISP and your ISP.
    

Your and my ISPs are loosely connected by a chain of social trust
relationships between adjacent ISPs, which is why we can exchange
packets over the Internet
Yes.
with reasonable security.
No. Without any security at all.
No garanties of delivery, no origin validation, no path validation, etc.

"social trust relationship" can arrange packet delivery but cannot arrange any responsibility for proper delivery.

I as have said before the picture you are drawing reflects Internet 20 years ago, when all participants cooperated and worked on the benefit of the network.

No _not_all_ participants have this paradigm in the network and the share of those who do not participate in any "social trust relationships" but simply use the network in the manner they feel good for achieving their goals (sometimes criminal ones) is increasing continuously.
  
Adjacent zones have reasonable social trust relationships between
them, through which network, your resolver and my server are
loosely connected with reasonable security.
With no security at all. Otherwise we would have never heard about "cache poisoning".


dol@

P.S. Just to mention: I liked Internet 20 years ago much more and a bit nostalgic about it.

  

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]