Which you can do with DNSSEC but the key management will be enormous. -- Mark Andrews
> On 21 Jun 2023, at 15:39, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> > wrote: > > Matt Corallo wrote: > >>> As PKI, including DNSSEC, is subject to MitM attacks, is >>> not cryptographically secure, does not provide end to end >>> security and is not actually workable, why do you bother? >> It sounds like you think nothing is workable, we simply cannot make anything >> secure > > If an end and another end directly share a secret > key without involving untrustworthy trusted third > parties, the ends are secure end to end. > >> - if we should give up on WebPKI (and all its faults) and DNSSEC (and all >> its faults) and RPKI (and all its faults), what do we have left? > > An untrustworthy but light weight and inexpensive (or free) > PKI may worth its price and may be useful to make IP address > based security a little better. > > Masataka Ohta >