Phillip Hallam-Baker wrote: > One of the issues people don't seem to consider in these schemes is > that merely reducing the number of trusted intermediaries from ~40 to > one doesn't actually remove reliance on trusted third parties, That is, DNSSEC is not secure at all. Just as plain DNS is vulnerable to active attacks on communication channels, DNSSEC is so on CA chains. Viktor Dukhovni wrote: > It hasn't been "are you who say you are" for quite some time, not > the vast majority of certificates. EV certificates are rather rare > with the exception of some of largest sites. Certainly the "Let's > Encrypt" CA will not do anything resembling "are you who you say > you are". We don't need CA for encryption, because DH is good enough. Though DH is vulnerable to active attacks on communication channels, CA is so on CA chains. Masataka Ohta