Paul Wouters wrote:
In your
favourite terms, diginotar as DNSSEC entity would have only
been able to mess up .nl and not any other TLD, if it had been
a "DNSSEC CA" instead of a "webpki CA". The hierarchical space
offers better security than the flat webpki.
I can't see any reason why you think the root zone is
more secure than TLDs, especially because, as I wrote:
: Third, all the CAs, including TLDs, pursuing commercial
: success have very good appearance using such words as
: "HSMs" or "four eyes minimum". That is, you can't
: compare actual operational/physical strength from
: their formal documents.
and
: A false sense of security that DNSSEC were
: cryptographically secure motivates the operators
: ignore DNSSEC operation rules, which are very
: complicated and hard to follow, for relatively
: strong physical security, which might be what
: happened in diginotar.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
