Which you can do with DNSSEC but the key management will be enormous. -- Mark Andrews
On 21 Jun 2023, at 15:39, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
Matt Corallo wrote:
As PKI, including DNSSEC, is subject to MitM attacks, is not cryptographically secure, does not provide end to end security and is not actually workable, why do you bother? It sounds like you think nothing is workable, we simply cannot make anything secure
If an end and another end directly share a secret key without involving untrustworthy trusted third parties, the ends are secure end to end.
- if we should give up on WebPKI (and all its faults) and DNSSEC (and all its faults) and RPKI (and all its faults), what do we have left?
An untrustworthy but light weight and inexpensive (or free) PKI may worth its price and may be useful to make IP address based security a little better.
Masataka Ohta