Matt Corallo wrote:
As PKI, including DNSSEC, is subject to MitM attacks, is
not cryptographically secure, does not provide end to end
security and is not actually workable, why do you bother?
It sounds like you think nothing is workable, we simply cannot make
anything secure
If an end and another end directly share a secret
key without involving untrustworthy trusted third
parties, the ends are secure end to end.
- if we should give up on WebPKI (and all its faults)
and DNSSEC (and all its faults) and RPKI (and all its faults), what do
we have left?
An untrustworthy but light weight and inexpensive (or free)
PKI may worth its price and may be useful to make IP address
based security a little better.
Masataka Ohta
