Re: [DNSOP] Should root-servers.net be signed

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Mon, 08 March 2010 03:06 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B48E53A687F for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 19:06:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.019
X-Spam-Level:
X-Spam-Status: No, score=-0.019 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XltgSK+CvalB for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 19:06:49 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id A201F3A6878 for <dnsop@ietf.org>; Sun, 7 Mar 2010 19:06:44 -0800 (PST)
Received: (qmail 55465 invoked from network); 8 Mar 2010 04:12:44 -0000
Received: from bmdi3229.bmobile.ne.jp (HELO necom830.hpcl.titech.ac.jp) (202.221.175.229) by necom830.hpcl.titech.ac.jp with SMTP; 8 Mar 2010 04:12:44 -0000
Message-ID: <4B946999.4000900@necom830.hpcl.titech.ac.jp>
Date: Mon, 08 Mar 2010 12:06:01 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <4B93A046.4020209@necom830.hpcl.titech.ac.jp> <B98D66FF-E4EB-47BE-8302-D4C6D3E70238@icsi.berkeley.edu> <4B93F864.9090003@necom830.hpcl.titech.ac.jp> <0568FB04-7F9F-430B-ADDF-2295619562A6@ICSI.Berkeley.EDU>
In-Reply-To: <0568FB04-7F9F-430B-ADDF-2295619562A6@ICSI.Berkeley.EDU>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: George Barwood <george.barwood@blueyonder.co.uk>, dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 03:06:51 -0000

Nicholas Weaver wrote:

> And PKI, dispite what you say, is not broken.  Heirarchical trust
> OR web of trust, you have to have some transitive trust to make
> a usable system.

As the Internet (and telco net, too, which has been used for
more than 100 years with moderate security) is the hierarchical
trust OR the web of trust, to which PKI adds nothing, which is
how PKI is broken.

> you have to have some transitive trust to make a usable system.

Sure. We already have the transitive trust between ISPs of the
Internet and plain old DNS is the usable system.

DNSSEC adds nothing to it.

						Masataka Ohta