a nit, Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Stef's point that PKI cannot represent trust relationships
is deflected -- but not denied -- by Kent. Does this mean
that we can have a global PKI on DNS?

No.

I believe that Kent is right when he says that PKI deals with a
chain of authority, not a chain of trust.  This may seem to be an
arcane point but a chain of authority can be defined by a
self-reference and can be propagated from a single reference
to a single reference whereas a chain of trust cannot, in both
counts.  Indeed, a PKI hierarchy (and chain of authority)
is very similar to the DNS hierarchy and zone delegation
system.

There is a nit, however.

A PKI modeled on the DNS would fail to work as a PKI.  Contrary
to the DNS and as an "infrastructure", a PKI should be able to
accept --  and use -- multiple roots.   But there is no concept  of
"cross CA" certification in the DNS, which would be akin to
routing across multiple roots in the DNS. In fact, this is exactly what
the  ICANN folks set out to prevent...

Cheers,
Ed Gerck

Stephen Kent wrote:

> At 10:42 PM -0700 6/12/02, Einar Stefferud wrote:
> >May I suggest that someone do a little work on proving the trust is
> >transitive, as that is what this is really all about, and if it
> >turns out that trust in not transitive, then what was the point?
> >
> >Maybe if you ask Google about trust transitivity, you all might
> >learn something;-)...
> >
> >Cheers..Stef
> >
> >PS:  I trimmed the address list to just IETF;-)...\s
> >
>
> Stef,
>
> Trust generally is not transitive, but cert chains are not about
> transitive trust. The DNS is a hierarchy with clear lines of
> authority for name spaces. A PKI modeled on the DNS would parallel
> the existing hierarchy and merely codify the relationships expressed
> by it in the form of public key certs.
>
> Steve



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]