but it ain't the crypto. never has been. and it is not always easy to explain math in plain english. so let's focus on where work needs to be done.
You and I are in violent agreement. The problem is in understanding whether or not the crypto under the hood really does provide a TRUSTABLE system. And that is more to do with policies and procedures. This is the stuff that I don't see explained in plain English so that the decision makers who rely on DNS can make a decision on DNSSEC. Ed Lewis pointed out two presentations which he claims have no crypto. However his own presentation at Apricot is laced with technical jargon including crypto. Stuff like "hierarchy of public keys", "DNSSEC data", "hash of the DNSKEY", "certificates", and so on. This is fine for a technical audience but it won't help explain the issue to the decision makers who spend the money. I understand how the crypto works to the extent that I believe it is technically possible for something like DNSSEC to work. However, I don't see an explanation of the policies and procedures that convinvces me that it DNSSEC really does work. The history of crypto-based security is filled with flawed implementations. --Michael Dillon --Michael Dillon