At 9:08 AM -0700 6/13/02, Einar Stefferud wrote: >I understand clearly about chains of authority and about the lack of >trust transitivity. The rest of your message strongly suggests that you don't. >What makes a DNS delegation of naming zone authority into a trust >transitivity vehicle. I assume there was an implied question mark above. >Why should I trust VeriSign to vouch for my reasons to trust you? I think you may be falling into a common trap, i.e., assuming that PKIs must be based on explicit trust in CAs. A trusted third party public CA, which is what VeriSign is primarily know as, does require explicit trust, because it is not authoritative for the identities for which it vouches. However, the entities that operate domains in the DNS are authoritative for the names in their subdomains. If they act as CAs, there is no explicit trust requirement. With suitable controls (specifically, use of the NameConstraints extension) these CAs can not issue certs (that will be considered valid) for entities outside of their name spaces. Thus they cannot do any worse than they can do today, in terms of basic assertions about the binding between a name and an address. The primary motivation I see for a DNS-based PKI is to provide a basis for better security for these bindings, in support of PKI-enabled applications. >When you turn out to have a bogus CERT, after I have trusted you, >and I go to VERISIGN seeking redress for trusting them and their >breach of my trust, what do they offer me other than the simple >statement that > > "Go away! You do not have a contract with us!" > "Our contract is only with the CERT holder!" > "And we have disclaimed all liability to him as well." Are you referring to VeriSign as a public CA or VeriSign as the owner of NSI, and operator of .COM and several other TLDs? There is a big difference. In either case, you seem to be assuming that liability must be associated with issuance of these certs, which need not be the case. not all certs are for use with applications that support non-repudiation. one could adopt a cert policy, and express it in the DNS certs, to minimize the liability associated with their use. if the goal is to use certs to improve the quality of host & user authentication, that need not imply any new liabilities compared to what is implied by current DNS management. >And when I go to ICANN for redress, because they supposedly vouched >for their delegated authority to run a DNS Zone, they say: > > "Sorry, this has nothing to do with us!" > "We are not a party to any liability here!" > "We only deal with DNS Zones, and do not > Vouch for the data contained there-in, > because we do not verify it in delegated zones!" > >So, what is it about DNS delegations that give you reason to inform >this list that trust is transitive in the DNS? You are the one who keeps saying that trust is transitive. I'm the one saying that it's not, and that a DNS-based PKI does not imply transitive trust. <rest of message deleted, since it didn't say anything new, constructive, or generally relevant to the topic ... Steve