Re: Global PKI on DNS?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Global PKI on DNS?

Stef,

Hi Steve -- Now we are beginning to connect with the real meta issue.

I am talking about "Trust Transitivity" in general.
We agree that the DNS offers no trust functions, useful or otherwise.
So, my focus is not on PKI as related to DNS, which is what you addressed here.

It the fundamental issue of trust transitivity in PKI.

I will concede that PKI is transitive in terms of "connectedness" as is DNS.
Both have relations of relatedness, but this does not confer transitivity on trust.
Trust still has to be earned, not awarded, in any case.

I am questioning the validity of the widely held assumption that trust is
(or can be) transitive in PKI (or anywhere for that matter).

So, back to my basic question:

Is trust transitive anywhere under any conditions?

I question that it is, until someone proves that:

	"Trust is transitive somewhere/anywhere in real life";

and then prove that:

	"Trust is transitive in PKI Theory";

and then prove that:

	"Trust is transitive in PKI reality".

HINT:  It will help if you can refer to some Formal Logical Theory of TRUST.

First, forget PKI and forget DNS, and show that trust is transitive somewhere under some describable conditions. Then show that trust is transitive in PKI.

I know that many people assume that Trust is transitive in PKI.
I am not asking about popular opinion here.
We need some formally logical facts.
If you have some, please show them to us.

Cheers...\Stef

This is getting tiresome. I have the feeling that you do not read to the end my messages. I'll keep this short:

- I have never stated that trust is transitive; in fact, I have given numerous talks and written a number of papers that state the opposite, so my position has been consistent and on the record for many years.

- although many popular PKIs (including PGP) assume on transitive trust, this it not an intrinsic feature of PKIs.

- a PKI in which each CA is authoritative for the name space in which it issues certs need not involve transitive trust.

- cross-certification in such a PKI need not involve trust; it can merely represent a recognition by one CA of the authority of another CA for a different part of a name space

In the case of DNS, where authority for each part of the name space is well defined, I argue that having the folks who are responsible for the domains assume the role of CA for their domains is a natural way to create a PKI that attests only to the binding of DNS names to keys. I maintain that this does not involve transitive trust.

Steve



Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.