Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



g'day,

Keith Moore wrote:
> 
> > Somebody (I
> > think it was Keith) suggested earlier in this thread that nobody should
> > be trusted with the single PKI root. Maybe the same sentiment applies to
> > DNS roots, as well??
> 
> no, it doesn't follow at all.    you need a unique root (of some kind) to
> prevent name conflicts - mutual self-interest among competitors does not
> suffice to do that.

Somebody suggested out-of-band that I might be trolling with my last
post, but actually I was just surrendering to my frustration, for which
I apologize. I know what a wasteland this topic seems to be for so many
of you, so I will allow myself one last reply and then shut up. Those of
you who can't stand that idea should hit 'N' now...

You don't need a unique root if you're willing to relax the prior
constraint that you absolutely must prevent name conflicts. I know that
voicing this idea is considered an indictable (if not excommuncable)
offense to many folks in this community, but frankly the prospect of
such collisions as an alternative to the current mess just doesn't seem
to me to be such a horrible alternative.

What we're really talking about here is the possibility of letting users
access multiple namespaces, and thus extending the current tools to
allow specifying an alternate namespace in some manner or another.

By refusing to accept this as a goal worth achieving, we guarantee that
we'll never figure out ways to make it work but I personally see this as
a failure of our collective imagination, not as an underlying limitation
of the potential DNS we might have built.

I'll accept that most people on this list don't want to think about
lifting the lid of the cesspool that is the whole nasty, messy, ugly
politically oriented side of the current DNS situation. Suffice to say
users need more services in this area that allow greater freedom of
choice in names and greater search and location capability. Sadly we've
done nothing much for them since we deployed DNS and surrendered
discovery to the crawlers and the search engines. Pity, but we seem to
have valued stability over innovation in this space for a while now.


> OTOH a distinguished root CA is a Very Bad Idea.

It would seem to me that anyone wanting to operate a certificate service
will need to operate a well known or easily discoverable root. If
multiple people are going to set up to offer such services, you will
have multiple roots. QED

Now, if the thought of this concept didn't make you jerk awake screaming
and bathed in sweat last night, then I still don't see why you can't
equate this concept to multiple DNS roots, other than the proof by
assertion that it can't work. I pick my authoratative source, you pick
yours and we make it a work item that we figure out ways for people to
toggle between namespaces and distinguish between them when in use. By
instead declaring it an axiom that you *can't* have more than one
namespace you surrender youself to a single, overcrowded politically
captured mess.

I know that the political considerations are off topic for this list, so
I'll just say it one more time and then shut up. There's some neat
technical issues that a body such as the IETF could consider in this
space, and if you can contemplate something as important as your root
certificate authority not being unique, I don't see why the concept of a
single DNS root is so sacrosanct. But that's just me...


I've tried to figure out where I could direct followups for this thread,
and I can't for the life of me suggest a viable forum within the IETF
context. Maybe that says something about how ignorant I am, or maybe it
just says something about the IETF's current level of genetic diversity
in this area. Either possibility makes me sad...  :-)


				- peterd

(Who will now slink back into his hole, wondering what on earth possesed
him...)



-- 
-----------------------------------------------------------------------
   Peter Deutsch                   peterd@earthlink.net


   "I had to do an assignment on wild animals, and I decided to
    do my report on alligators. To complete my research, I took a
    trip to the zoo. I wanted to make a day of it, so I took along
    my pet dog. I figured we could throw a little frisbee,
    enjoy the sun, but boy was that trip a disaster. I had to
    tell my teacher that my homework ate my dog..."

----------------------------------------------------------------------


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]