Re: Global PKI on DNS?

To: Keith Moore <moore at cs.utk.edu>
Subject: Re: Global PKI on DNS?
From: Stephen Kent <kent at bbn.com>
Date: Fri, 14 Jun 2002 08:03:28 -0400
Cc: ietf <ietf at ietf.org>
In-reply-to: <200206131847.g5DIl7Y03086@astro.cs.utk.edu>
References: <200206131847.g5DIl7Y03086@astro.cs.utk.edu>
Sender: owner-ietf at ietf.org

At 2:47 PM -0400 6/13/02, Keith Moore wrote:

> A modest, realistic ambition for a DNS-based PKI would be to improve

 the security of the binding between DNS entries and the associated
 machines


yes, I think this is right.  it eliminates some kinds of threats. but
it still doesn't guarantee that you're talking to the service you think
you're talking to. and that's a difficult distinction to communicate
to users.

It is unlikely that we can ever create a system that ensures that every user is " talking to the service you think you're talking to" because users can make all sorts of mistakes in trying to express who they really want to talk to. That's why I think it makes sense to settle for a more modest aim, i.e., authenticating that you are connected to the entity registered with the DNS name that you asserted that you wanted to talk to.

that and putting this much trust in the registries makes them very
attractive targets.

Which registries? DNS servers are already attractive targets. Absent other forms of strong authentication, we rely on the integrity of the DNS to ensure that we are talking to who we ....

Steve

References:
- Re: Global PKI on DNS?
  - From: Keith Moore

Prev by Date: Re: Global PKI on DNS?
Next by Date: Re: Global PKI on DNS?
Previous by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Global PKI on DNS?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.