Jim Reid wrote:
>> While the Bad Guy as an ISP administrator won't have the private
>> keys, the Bad Guy as a zone administrator will have the private keys.
> True,
Good enough.
> This claim is ridiculous. Unless someone uncovers a fundamental flaw in
> public key cryptography,
The fundamental flow of public key cryptography for its, wrongly
claimed, cryptographical security is that trusted third parties
are not cryptographically secure, which you have already said
"True,".
As you can see that the Bad Guy as a zone administrator will
have the private keys, there is no cryptographical security,
here.
> DNSSEC is secure cryptographically provided
> the private key(s) remain private.
The provision is not cryptographical.
> Now some people may (or may not) trust a third party to manage their
> keys and zone signing for them. That's their choice.
Have you ever heard about such thing as monopoly?
With monopoly, consumers do not have any choice, which is the case
with DNS.
You are totally bound to "." and many are to ".com".
> It's just one of
> the many trade-offs that have to be considered in any sort of security
> system. For some, a private key held by a third party may well meet or
> exceed their security requirements.
That there are many operational trade-offs means that the security
is not cryptographic.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
