Re: Global PKI on DNS?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Global PKI on DNS?

At 3:32 PM -0700 6/14/02, Einar Stefferud wrote: 
Ok, we are getting somewhere now.

So, I ask, where does trust come from in PKI if not from transmission via some 3rd party CERT issuer, which I understand to be a use of transitivity of trust from the CERT buyer, though the CA to the relying party.

Maybe this is is erroneous thinking, but if so, please explain how the trust information is passed from the CERT holder through the CA to the cert recipient who will use if as a basis of trust. To me, this looks like transitivity.

A trusts B; C Trusts A; therefore C trusts B????

Cheers...\Stef 

Stef,

A public key cert is a digitally signed attestation by a CA, binding attributes to a public key. It is a digital credential. We deal with physical credentials all the time and in most cases we don't ask whether we trust the issuer of the credential to correctly issue the credential, although there are exceptions. More often we worry about the integrity of the credential pre se, e.g., how hard is it to forge a credential.

I feel that the term "trust" is appropriately applied to certs when the CA is not authoritative for the attributes in the cert, but is not appropriate when the CA is authoritative.

By analogy, we normally do not say that we "trust" an employer to identify its employees or the U.S. State Dept. to identify U.S. citizens. They are authoritative as credential issuers and thus the term trust, while potentially applicable, is not commonly applied, i.e., it is implicit.

Steve



Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.