Re: Global PKI on DNS?

[Stephen Kent <kent at bbn.com>]

At 10:43 AM -0400 6/17/02, Keith Moore wrote:
>  > If explicit trust is required I agree, but in the DNS case we already
> >  have a singly-rooted tree that everyone relies upon. if you want to
> >  use the word "trust" then we all trust the root for DNS, but I think
> >  the term is not applicable here.
>
> I think the word "trust" accurately reflects the situation.
>
> People do trust the current DNS to some degree.  The danger of a DNS-based
> PKI is that people will invest far more trust in the DNS PKI than is
> warranted, and/or that the root and/or TLD servers will abuse that trust.
>
> Recent history demonstrates that such abuse is likely.
>
> Keith

Keith,

I think you raise a valid concern, but it's one we always face when 
transitioning from an insecure system to a more secure system. People 
may misuse any security technology by imbuing it with more 
capabilities than the developers of the technology intended. However, 
if we always let that concern deter us, we will rarely make progress. 
Also, this is not a suggestion to deploy a DNS-based PKI in lieu of 
other PKIs; I am a believer in multiple. independent PKIs. So I see a 
DNS-based PKI as fulfilling just one role, i.e. vouching for the 
binding between a DNS name and a key. There is plenty of room for 
other PKIs to exist, vouching for other bindings.

Steve