On Aug 20, 2008, at 6:57 PM, Masataka Ohta wrote:
If you and your peer already have secure channel, you have no
reason to use DNSSEC for secure identification nor communication
with the peer.
Ohta-san, this is clueless in so many ways. It's inspiring.
First of all, perhaps you do have a secure channel to your trust
anchor. This doesn't mean that you have a secure channel to all the
zones that depend from it. So you can get the trust anchor key, and
because you have it, you can now validate all those zones for which
you have no such secure channel.
Secondly, secure channels can be automatic or manual. Frequently
they're manual. So you use the manual channel to set up an automatic
channel. This is what, e.g., the PGP key signing that happens at
every IETF is all about.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
