Re: Global PKI on DNS?

To: Ed Gerck <egerck at nma.com>
Subject: Re: Global PKI on DNS?
From: Stephen Kent <kent at bbn.com>
Date: Mon, 17 Jun 2002 12:00:28 -0400
Cc: ietf <ietf at ietf.org>
In-reply-to: <3D0E0089.79DFECB8@nma.com>
References: <D9E0SFBURDA5LIJE0443LF4Z31C31.3d082370@www> <v04220818b92ddfce4d1b@[192.168.1.14]> <p05100300b92e529498e4@[128.89.88.34]> <v04220800b92e6c4ffed6@[192.168.1.14]> <p05100309b92e78ae8c66@[128.89.88.34]> <v04220809b92ec39457b0@[192.168.1.14]> <p05100302b92f88e781b6@[128.89.88.34]> <v04220801b92fc048a27a@[192.168.1.14]> <p0510030eb92fd2d2dfa0@[128.89.88.34]> <v04220806b92fe659b3bf@[192.168.1.14]> <p05100315b92ffe1b0b50@[128.89.88.34]> <v0422080cb9301e14cbdf@[192.168.1.14]> <p05100302b9339bd7f9f6@[128.89.88.34]> <3D0E0089.79DFECB8@nma.com>
Sender: owner-ietf at ietf.org

At 8:30 AM -0700 6/17/02, Ed Gerck wrote:

Stephen Kent wrote:

 I feel that the term "trust" is appropriately applied to certs when
 the CA is not authoritative for the attributes in the cert, but is
 not appropriate when the CA is authoritative.


Trust is oftentimes used as a synonym for authorization.  This is fine if
you have a network, where a trusted  user is a user authorized by the
sysadmin to do or be something. However,  the concept of trust as we
have developed and learned to use it for thousands of years in commerce
and human communication (like an internet, a network of networks)
is much more complex than authorization. Thus, when we replace trust
with authorization we lose representation capacity -- we flaten out, so
to say, the descriptive capacity of our language.

I agree that the two concepts should be kept distinct, and that's why I try to use "trust" to describe CA relationships where authorization is absent. In the DNS, and in many other cases, CAs are authorized and thus need not be "trusted" in the traditional sense.

As authorization, trust can be transitive.  Money is an authorization
for payment and it is surely transitive.  However, if trust is taken as
representing the usual concept of trust, then it cannot be considered
transitive. For example,  if I trust my brother this does not mean that I
must trust my brother's friends.  We cannot grant it to be associative,
either. Let me exemplify.


We agree.

<snip>
These problems eventually invalidate any PKI scheme which grows beyond a certain "critical radius". And, it also casts serious doubts on the validity of delegation and authorization chains if such aspects of trust are not taken into account. As they are not, in PKI and in the DNS.


I don't understand your assertion in this last sentence.

Steve

References:
- Re: Global PKI on DNS?
  - From: Chris Evans
- Re: Global PKI on DNS?
  - From: Einar Stefferud
- Re: Global PKI on DNS?
  - From: Stephen Kent
- Re: Global PKI on DNS?
  - From: Einar Stefferud
- Re: Global PKI on DNS?
  - From: Stephen Kent
- Re: Global PKI on DNS?
  - From: Einar Stefferud
- Re: Global PKI on DNS?
  - From: Stephen Kent
- Re: Global PKI on DNS?
  - From: Einar Stefferud
- Re: Global PKI on DNS?
  - From: Stephen Kent
- Re: Global PKI on DNS?
  - From: Einar Stefferud
- Re: Global PKI on DNS?
  - From: Stephen Kent
- Re: Global PKI on DNS?
  - From: Einar Stefferud
- Re: Global PKI on DNS?
  - From: Stephen Kent
- Re: Global PKI on DNS?
  - From: Ed Gerck

Prev by Date: Re: Global PKI on DNS?
Next by Date: Re: Global PKI on DNS?
Previous by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Global PKI on DNS?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.