Stef's point that PKI cannot represent trust relationships is deflected -- but not denied -- by Kent. Does this mean that we can have a global PKI on DNS? No. I believe that Kent is right when he says that PKI deals with a chain of authority, not a chain of trust. This may seem to be an arcane point but a chain of authority can be defined by a self-reference and can be propagated from a single reference to a single reference whereas a chain of trust cannot, in both counts. Indeed, a PKI hierarchy (and chain of authority) is very similar to the DNS hierarchy and zone delegation system. There is a nit, however. A PKI modeled on the DNS would fail to work as a PKI. Contrary to the DNS and as an "infrastructure", a PKI should be able to accept -- and use -- multiple roots. But there is no concept of "cross CA" certification in the DNS, which would be akin to routing across multiple roots in the DNS. In fact, this is exactly what the ICANN folks set out to prevent... Cheers, Ed Gerck Stephen Kent wrote: > At 10:42 PM -0700 6/12/02, Einar Stefferud wrote: > >May I suggest that someone do a little work on proving the trust is > >transitive, as that is what this is really all about, and if it > >turns out that trust in not transitive, then what was the point? > > > >Maybe if you ask Google about trust transitivity, you all might > >learn something;-)... > > > >Cheers..Stef > > > >PS: I trimmed the address list to just IETF;-)...\s > > > > Stef, > > Trust generally is not transitive, but cert chains are not about > transitive trust. The DNS is a hierarchy with clear lines of > authority for name spaces. A PKI modeled on the DNS would parallel > the existing hierarchy and merely codify the relationships expressed > by it in the form of public key certs. > > Steve