Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 9:08 AM -0700 6/13/02, Einar Stefferud wrote:
>I understand clearly about chains of authority and about the lack of 
>trust transitivity.

The rest of your message strongly suggests that you don't.

>What makes a DNS delegation of naming zone authority into a trust 
>transitivity vehicle.

I assume there was an implied question mark above.

>Why should I trust VeriSign to vouch for my reasons to trust you?

I think you may be falling into a common trap, i.e., assuming that 
PKIs must be based on explicit trust in CAs. A trusted third party 
public CA, which is what VeriSign is primarily know as, does require 
explicit trust, because it is not authoritative for the identities 
for which it vouches. However, the entities that operate domains in 
the DNS are authoritative for the names in their subdomains. If they 
act as CAs, there is no explicit trust requirement. With suitable 
controls (specifically, use of the NameConstraints extension) these 
CAs can not issue certs (that will be considered valid) for entities 
outside of their name spaces. Thus they cannot do any worse than they 
can do today, in terms of basic assertions about the binding between 
a name and an address. The primary motivation I see for a DNS-based 
PKI is to provide a basis for better security for these bindings, in 
support of PKI-enabled applications.

>When you turn out to have a bogus CERT, after I have trusted you, 
>and I go to VERISIGN seeking redress for trusting them and their 
>breach of my trust, what do they offer me other than the simple 
>statement that
>
>	"Go away!  You do not have a contract with us!"
>	"Our contract is only with the CERT holder!"
>	"And we have disclaimed all liability to him as well."

Are you referring to VeriSign as a public CA or VeriSign as the owner 
of NSI, and operator of .COM and several other TLDs? There is a big 
difference.

In either case, you seem to be assuming that liability must be 
associated with issuance of these certs, which need not be the case. 
not all certs are for use with applications that support 
non-repudiation. one could adopt a cert policy, and express it in the 
DNS certs, to minimize the liability associated with their use. if 
the goal is to use certs to improve the quality of host & user 
authentication, that need not imply any new liabilities compared to 
what is implied by current DNS management.

>And when I go to ICANN for redress, because they supposedly vouched 
>for their delegated authority to run a DNS Zone, they say:
>
>	"Sorry, this has nothing to do with us!"
>	"We are not a party to any liability here!"
>	"We only deal with DNS Zones, and do not
>	Vouch for the data contained there-in,
>	because we do not verify it in delegated zones!"
>
>So, what is it about DNS delegations that give you reason to inform 
>this list that trust is transitive in the DNS?

You are the one who keeps saying that trust is transitive. I'm the 
one saying that it's not, and that a DNS-based PKI does not imply 
transitive trust.

<rest of message deleted, since it didn't say anything new, 
constructive, or generally relevant to the topic ...

Steve


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]