Nico,
DNSSEC is a PKI [of sorts; please, no need to pick nits about that].
agreed.
It stands to reason that DNSSEC should have similar trust problems as PKIX. I believe it does indeed.
PKIX, per se, does not have the trust problems that seem to motivate CT; the Web PKI does. That PKI has always had a serious problem because any TA can issue a cert for any Subject, irrespective of the Subject name. because DNSSEC intrinsically incorporate the equivalent of PKIX Name Constraints, it does not suffer from that specific problem. That's not to say that mis-issuance is not possible in DNSSEC, but rather that its effects are more limited.
It follows that things like CT that we're applying to PKIX should be applied to DNSSEC as well, where possible.
maybe.
I don't see any reason why CT couldn't be extended to DNSSEC. IMO, it should be done.
I'll defer to DNS experts on that.
Steve _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
