To:
Ted.Hardie@nominum.com
cc:
Keith Moore <moore@cs.utk.edu>, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Keith Moore <moore@cs.utk.edu>
Date:
Wed, 09 Jan 2002 14:45:58 -0500
In-reply-to:
Your message of "Wed, 09 Jan 2002 11:10:52 PST." <20020109111052.B67743@shell.nominum.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
> I think this is a valid point. The way I wrap that in my head is: > > DNSSEC helps you to know that the materials you got from the wallet > were the materials that the owner put in there. this is only true if you trust DNSSEC, and DNSSEC seems to assume a trust model that not everyone would consider valid. this is fine if you don't make DNSSEC an inherent part of the trust chain. it's not fine if you design a system that requires that everyone that uses it place trust in DNSSEC. put another way: if the system assumes that DNSSEC is *the* only way to make verifiable assertions about identity, it's broken. if the system allows DNSSEC as *a* way to make verifiable assertions about identity, with other ways allowed also, that's a Good Thing. Keith