Matt Corallo wrote:
So, let's recognize ISPs as trusted authorities and we are reasonably safe without excessive cost to support DNSSEC with all the untrustworthy hypes of HSMs and four-eyes principle.
I think this list probably has a few things to say about "ISPs as trusted authorities"
I'm afraid you miss the point. My point is that trusted third parties of CAs including DNSSEC providers are at least as untrustworthy as ISPs.
- is everyone on this list already announcing and enforcing an exact ASPA policy (or BGPSec or so) and ensuring the full path for each packet they send is secure and robust to ensure it gets to its proper destination?
I'm afraid that is a hype as bad as HSMs and four-eyes principle.
Somehow I don't think this model is workable,
As PKI, including DNSSEC, is subject to MitM attacks, is not cryptographically secure, does not provide end to end security and is not actually workable, why do you bother? Masataka Ohta