Ralf Skyper Kaiser <sky...@thc.org> wrote: > > The user has to trust ALL keys and not just the single ROOT KEY.
That's true, but the amount of trust you have to put in high-level DNSSEC keys is relatively limited. DNSSEC is aware of zone cuts, and high-level keys cannot authenticate domain names below a zone cut. The DNS also caches a lot, so if an attacker tries to redirect part of the namespace without obtaining the corresponding private keys, they will cause suspicious validation failures at sites where the proper public keys were cached. It would be nice to have something better than DNSSEC, but at least it has a safer structure than X.509. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________