g'day, Keith Moore wrote: > > > Somebody (I > > think it was Keith) suggested earlier in this thread that nobody should > > be trusted with the single PKI root. Maybe the same sentiment applies to > > DNS roots, as well?? > > no, it doesn't follow at all. you need a unique root (of some kind) to > prevent name conflicts - mutual self-interest among competitors does not > suffice to do that. Somebody suggested out-of-band that I might be trolling with my last post, but actually I was just surrendering to my frustration, for which I apologize. I know what a wasteland this topic seems to be for so many of you, so I will allow myself one last reply and then shut up. Those of you who can't stand that idea should hit 'N' now... You don't need a unique root if you're willing to relax the prior constraint that you absolutely must prevent name conflicts. I know that voicing this idea is considered an indictable (if not excommuncable) offense to many folks in this community, but frankly the prospect of such collisions as an alternative to the current mess just doesn't seem to me to be such a horrible alternative. What we're really talking about here is the possibility of letting users access multiple namespaces, and thus extending the current tools to allow specifying an alternate namespace in some manner or another. By refusing to accept this as a goal worth achieving, we guarantee that we'll never figure out ways to make it work but I personally see this as a failure of our collective imagination, not as an underlying limitation of the potential DNS we might have built. I'll accept that most people on this list don't want to think about lifting the lid of the cesspool that is the whole nasty, messy, ugly politically oriented side of the current DNS situation. Suffice to say users need more services in this area that allow greater freedom of choice in names and greater search and location capability. Sadly we've done nothing much for them since we deployed DNS and surrendered discovery to the crawlers and the search engines. Pity, but we seem to have valued stability over innovation in this space for a while now. > OTOH a distinguished root CA is a Very Bad Idea. It would seem to me that anyone wanting to operate a certificate service will need to operate a well known or easily discoverable root. If multiple people are going to set up to offer such services, you will have multiple roots. QED Now, if the thought of this concept didn't make you jerk awake screaming and bathed in sweat last night, then I still don't see why you can't equate this concept to multiple DNS roots, other than the proof by assertion that it can't work. I pick my authoratative source, you pick yours and we make it a work item that we figure out ways for people to toggle between namespaces and distinguish between them when in use. By instead declaring it an axiom that you *can't* have more than one namespace you surrender youself to a single, overcrowded politically captured mess. I know that the political considerations are off topic for this list, so I'll just say it one more time and then shut up. There's some neat technical issues that a body such as the IETF could consider in this space, and if you can contemplate something as important as your root certificate authority not being unique, I don't see why the concept of a single DNS root is so sacrosanct. But that's just me... I've tried to figure out where I could direct followups for this thread, and I can't for the life of me suggest a viable forum within the IETF context. Maybe that says something about how ignorant I am, or maybe it just says something about the IETF's current level of genetic diversity in this area. Either possibility makes me sad... :-) - peterd (Who will now slink back into his hole, wondering what on earth possesed him...) -- ----------------------------------------------------------------------- Peter Deutsch peterd@earthlink.net "I had to do an assignment on wild animals, and I decided to do my report on alligators. To complete my research, I took a trip to the zoo. I wanted to make a day of it, so I took along my pet dog. I figured we could throw a little frisbee, enjoy the sun, but boy was that trip a disaster. I had to tell my teacher that my homework ate my dog..." ----------------------------------------------------------------------