Re: Global PKI on DNS?

[Stephen Kent <kent at bbn.com>]

At 2:05 PM -0400 6/14/02, John Stracke wrote:
>  >In a system
> > like DNS which makes clear who is authoritative for which names, I
> > don't think the term "trust" is applicable, and that is the crux of
> > our disagreement.
>
> The problem is that, although the owner of the domain is authoritative
> for who gets to use which name, that doesn't mean their users want
> them to issue certificates.  The first requires that the owner trusts
> the users; the second requires that the users trust the owner.  And
> trust is not symmetric.

I see your point, but there are a lot of ways to look at this issue 
of in the general case.

The state in which I reside determines who is authorized to issue my 
driver's license. The country of which I am a citizen determines who 
issues my passport. The employer for whom I work determines who 
issues my employee ID. The banks with whom I elect to have credit 
card relationships determine the numeric spaces fro  which my credit 
card numbers are selected. In each case the issuer of the credential 
is precisely the entity who "owns" the name space in which the 
credential is issued. Why should a DNS-based PKI be different? As 
soon as you decide to allow 3rd parties to issue credentials in name 
spaces for which they are not authoritative, you DO introduce a whole 
raft of trust issues, and that makes PKIs very hard to manage and for 
users to understand.

Maybe if I don't want my DNS cert issued by the admin for the DNS 
subdomain in which you "live" I should "move" to a new subdomain, a 
better neighborhood in cyberspace?

Steve