Re: Global PKI on DNS?

To: Keith Moore <moore at cs.utk.edu>
Subject: Re: Global PKI on DNS?
From: Stephen Kent <kent at bbn.com>
Date: Wed, 19 Jun 2002 21:55:06 -0400
Cc: ietf <ietf at ietf.org>
In-reply-to: <200206171839.g5HIdcY02323@astro.cs.utk.edu>
References: <200206171839.g5HIdcY02323@astro.cs.utk.edu>
Sender: owner-ietf at ietf.org

At 2:39 PM -0400 6/17/02, Keith Moore wrote:

> Well, we agree on the utility of having multiple PKIs. We disagree on

 the need for a PKI that happens to cover a specific name space that
 underlies the vast majority of IP-based communications, or at least
 you disagree on the desirability of that specific PKI given the
 reality of who runs which TLDs. But, you don't offer any suggestions
 on how to address the need that a DNS-based PKI satisfies.


I don't see it as a 'need' in that sense.  If you want to increase
the level of trust over the current situation, you pretty much have
to either exchange keying material directly with that party,
or pick a third party that *you* trust to serve as an intermediary.
It's really hard to have multiple intermediaries because you need
to trust them all.  And just because someone runs a TLD doesn't mean
that you want to trust them - it often means you should be wary of them.

direct exchange obviously does not scale well, and picking a third party gets into the trust problem all over again, as well as requiring that BOTH you and the other correspondent trust.

It really doesn't have much to do with DNS - the problem is that
real trust doesn't scale to that level no matter what the naming
scheme or the protocol.

Your later message clarified this, i.e., you believe that in general one cannot identify a third party who enough people trust to act as a CA for a large set of people. I argue that we are have learned to accept organizational entities as authoritative issuers of credentials all the time and that this is no different. This is not a suggestion to have only ONE PKI for everything. It is a suggestion to have exactly one for the purpose of securely binding DNS names to keys. If you are afraid that people would come to rely on this one too much, and that it would deter other PKIs from being formed, maybe that's an indication that it would be more valuable that you care to admit :-)

Steve

Follow-Ups:
- Re: Global PKI on DNS?
  - From: Keith Moore

References:
- Re: Global PKI on DNS?
  - From: Keith Moore

Prev by Date: Re: Global PKI on DNS?
Next by Date: Re: Global PKI on DNS?
Previous by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Global PKI on DNS?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.