John,
... Yes, not only can anyone distribute the public keys of the TLDs, but each TLD public key is readily accessible at any time from anywhere on the Internet, by sending a single DNS request to any of the root servers. This is one of the improvements that DNSSEC made, over the prior art of public key infrastructure.
If generic PKIs could assume a single TA, then the same model has always been possible. DNS has the advantage of having a single root, and a robust infrastructure supporting distribution of data about the next tier of the DNS. This allows DNSSEC to offer the functionality you describe. it is not an improvement over the prior art of PKI.
Steve _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
