Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 1:15 PM -0400 6/12/02, Keith Moore wrote:
>  > > I don't want to discount the importance of cert discovery, but I do
>>  > think it's a stretch to believe that you're going to be willing to trust
>>  > all of the certs that you discover in a chain of significant length, for
>>  > a significant set of purposes.
>>
>>  So do you think that there's a necessary difference in trustworthiness
>>  between the certs that you "discover" when you take your computer out of
>>  the box, or download the latest browser, and those that you would discover
>>  via some lookup mechanism?  Even if the certs discovered via that
>>  mechanism were associated with policies based on explicit agreements
>>  and terms of use between your organization and the various issuers?
>
>no, I think there's likely to be a difference in the trustworthiness
>of a short chain of certs involving a small number of other parties
>vs. that of a long chain of certs involving a larger number of other
>parties.  and if the cert discovery mechanism can incorporate
>personal and/or site policy, that's great - as long as it knows
>which policy to use under which circumstances. 
>
>in general I think the longer the cert chain, the narrower the applicability.
>
>Keith

I think that it is an oversimplification to argue that shorter chains 
are necessarily less trustworthy than longer ones, and this seems 
especially true in this context.

if one were to create a PKI paralleling the DNS, each CA would 
correspond to a component of a DNS name and each of those points is 
authoritative for the naming of the entities under it. this is not a 
new notion introduced by making a PKI parallel to the DNS, but is an 
intrinsic feature of the DNS design. if one chose to create such a 
PKI, the CAs would not be trusted third parties in the common sense 
of the term. they are precisely the entities that are responsible for 
managing their parts of the DNS name space and are implicitly trusted 
to do so.

Those who have argued against a single root in general should note 
that there are ways to have multiple entities act in a coordinated 
fashion to sign on behalf of a root, which mitigates the security 
concerns associated with what might appear to be a single root. But, 
that does not diminish the problems noted earlier re increased 
traffic for TLD DNS servers, etc. I'm just addressing tyhe security 
aspects of a DNS-based PKI. Also even if one were to have a singly 
rooted DNS, that does not make it the only game in town, i.e., there 
should be lots of other PKIs, each with its own root and serving a 
well defined constituency.

Steve


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]