To:
"'Masataka Ohta '" <mohta@necom830.hpcl.titech.ac.jp>
Cc:
"'dnsop@cafax.se'" <dnsop@cafax.se>
From:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
Date:
Thu, 10 Oct 2002 22:30:32 -0400
Sender:
owner-dnsop@cafax.se
Subject:
RE: Interim signing of the root zone.
> > as dnssec is finally approaching deployment, it seems > > imprudent to rush into a not obviously critical anycast > > deployment when a little patience would seem harmless. > DNSSEC, or any CA-based security, is not really secure and is > undeployable for any practical security. With all due respect, you've made such claims/statements on the list before, and never provided sufficient fact to back up that opinion. Please feel free to back up that opinion with fact, or don't waste peoples' time with it. Better yet, if you think things are slightly broken then propose a fix. If you think things are *very* broken then propose a workable alternative and explain why things are so broken. Describing DNSSEC as "CA-based security" is starting off on the complete wrong tack as far as I'm concerned--there are real and significant diffences between the distributed zone-based signing scheme of DNSSEC signed zones (on the one hand) and monolithic PKI based on CAs (on the other). I look forward to constructive comments. or a more clear explanation of your claims. In the meantime, I'm going back to deploying DNSSEC for practical security. --Rip #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.