Re: opportunistic encryption deployment problems

[Bill Manning <bmanning@ISI.EDU>]

% 
% On Tue, 21 Aug 2001, Jari Arkko wrote:
% 
%  > While I do like how OE can be used from small to large deployment of
%  > DNSSEC, I'm concerned that (a) DNSSEC will eventually bring the same
%  > trouble as a large scale PKI would [such as the worries about people
%  > being able to control their reverse mappings or their DNS at all], and
%  > (b) it may not be the most effective weak authentication scheme [and
%  > it is weak until the root gets signed].
% 
% what makes DNSSEC weak just because the root is not signed? there is
% nothing that stops us from signing the in-addr.arpa zone before root and
% when this is done people can start trusting it immediately if they like to.
% 
% 	jakob
% 

	Ass I told Hugh in London, we have a working, signed
	root, arpa, and in-addr.arpa zone available. All that
	the OE folks need to do is notify the parent as to which
	child zones they wish the parent to know are signed, e.g.
	Hugh should tell me that:
	
		300.168.192.in-addr.arpa is signed
		and
		send me the key for that signature.

	Then I can sign the key for that zone and volia!
	all entries in that zone can walk a fully signed 
	tree!


-- 
--bill

---

References:

• Re: opportunistic encryption deployment problems
• From: Jakob Schlyter <jakob@crt.se>

---

• Prev by Date: Re: opportunistic encryption deployment problems
• Next by Date: Re: Bakeoff summary
• Prev by thread: Re: opportunistic encryption deployment problems
• Next by thread: Re: opportunistic encryption deployment problems
• Index(es):
  • Main
  • Thread