27 Mar
2005
27 Mar
'05
5:16 p.m.
* Sean Donelan:
Signatures don't create trust. A signature can only confirm an existing trust relationship. DNSSEC would have the same problem, where do you get the trustworthing signatures? By connecting to the same root you don't trust?
As a practical matter, you can stop 99% of the problems with a lot less effort. Why has SSH been so successful, and DNSSEC stumbled so badly?
Because SSH "signatures" do create trust. SSH uses the key continuity model, not the PKI model.