Masataka Ohta wrote: > > Martin Rex wrote: > > > DNSsec, as far as I can see, does not use a PKI in the traditional > > sense. There are _NO_ persons involved in the process, > > FYI, zones are operated by people. That is missing the point. >From what I've seen, the whole architecture of DNSsec is based on assertions of keys being authorized to sign keys being authorized to sign RRs. The blobs of data that are being used in the signatures look very similar to "RSASSA-PKCS1-V1_5-SIGN" (PKCS#1 v1.5 signature scheme) to me. If you look at rfc-2437 (PKCS#1 v2.0) http://tools.ietf.org/html/rfc2437 it does _NOT_ use the term "digital signature" anywhere throughout that document, simply because there are no digital signature described in that specification. "digital signature" is a term that has been picked up and used by legislators to describe things that are equivalents to real/natural signatures that represent legal entities, and where they attach legal liabilities and contractual obligations. The things used in DNSsec are just "signatures", they are definitely _NOT_ "digital signatures" in any legal sense. And btw. the reason why dnssec-gost needs to be a MAY, and why the IETF _standards_ ought to require all DNSsec-signed zones to include signatures with a mandatory to implement algorithm is described in BCP-61, Section 6 as "the Danvers Doctrine": http://www.rfc-editor.org/bcp/bcp61.txt http://tools.ietf.org/html/rfc3365#section-6 -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf