North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS cache poisoning attacks -- are they real?
* Sean Donelan: > Signatures don't create trust. A signature can only confirm an existing > trust relationship. DNSSEC would have the same problem, where do you get > the trustworthing signatures? By connecting to the same root you don't > trust? > > As a practical matter, you can stop 99% of the problems with a lot less > effort. Why has SSH been so successful, and DNSSEC stumbled so badly? Because SSH "signatures" do create trust. SSH uses the key continuity model, not the PKI model.
|