Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Keith Moore wrote:

> > A PKI modeled on the DNS would parallel
> > the existing hierarchy and merely codify the relationships expressed
> > by it in the form of public key certs.
>
> so what you're saying is that the cert would mean something like:

;-) actually, to a lawyer, a PKI cert says something like:

    "By issuing this certificate We state in accordance with the rules which We
     make and vary as We think fit for that purpose from time to time without
     accepting any obligation to any other person (including any Internet
     standardization entity) for the effect or consequences of Our choice of
     those rules or of Our variation of them, hereafter called "CPS," that:

     1. The text string herein designated 'name' contains the string received by Us
     from a person, entity or machine, hereafter called entity, claiming it as that
     entity's name.

     2. We may have taken some measures at some time to receive evidence (which
     We may not have preserved and may not be able to produce) of a
     connection between the name and the entity from whom it was apparently
     received.

     3. We have reproduced the string as We believe that We received it, which
     We have denoted and formatted as to Our exclusive understanding of it,
     of its context and of its validity, as regulated by Our CPS.

     4. We may have tested the bit string herein designated 'key' to test whether,
     at the date appearing in this certificate, it appears to correspond to a
     counterpart apparently available to the entity from whom We apparently
     received the name.

     5. We are whom We claim to be.  This claim can be verified by checking Our
     signature on this certificate We supply with a key which We claim to be Our
     public key.  We do not offer you any grounds for believing that the public
     key in question is Our public key or that it has not been revoked before
     or after the date of signature of this certificate.  The only evidence We
     provide of the correctness of the date of signature stated in this certificate is
     that it is dated before the date on which you are reading this certificate.

     6. We may revoke this certificate at any time without telling you or anyone
     else.  The fact that you have downloaded this certificate from Our server
     does not mean that it has not previously been revoked. The fact that no
     revocation for it can be found in Our server does not mean that this
     certificate is valid either.

     7. You may rely on this certificate only at your own risk, and by so doing
     you confirm your acceptance of the conditions subject to which it is issued
     as stated in the CPS for the time being in force, which is not to be
     construed as any obligation regarding the time this certificate was signed by Us or
     used by you.  These conditions include terms prohibiting you from claiming
     to be inadequately qualified or trained to understand or apply the conditions,
     or to have relied upon Us as an expert, or that you were forced to rely on
     Us through lack of information with which to verify Our statements, or that
     you were forced to rely on Us through lack of choice by any reason such as
     the named entity's lack of alternatives for certificates, the browser's lack
     of alternatives for embedded root keys, etc.

     8. What public-key cryptography has joined, may time and machines not part,
     but of such binding We provide no assurance.

     In  Honor of Our Root-Certificate, which attests to Our faith in the
     Root-Key, until We decide to revoke them but maybe not both."

For a user's view, check http://www.mcg.org.br/x509cert.htm

Cheers,
Ed Gerck


>
>
> "we certify that this key was supplied by a party who gave us money
> in exchange for our assigning domain name x.y to it.  we have no
> idea who that party really is, whether it is trustworthy, and
> in particular whether that party can be trusted to manage its keys
> in such a way as to make compromise unlikely.  for that matter,
> we're not even entirely sure whether the party that gave us money
> for this domain last time it was renewed was the same as the party
> that gave us money for the domain in the past.  for that matter,
> we didn't get the money directly from that party, we got it from
> a registrar who you may or may not be able to trust either.
>
> and for that matter, you have no idea whether we are trustworthy.
> we could be making all of this up, and in fact we're so large and
> control the trust relationships to so many domains that there is
> a fair amount of incentive for us to do exactly that under some
> conditions, but we won't tell you want those are  but you should
> trust us anyway, because we said so"
>
> Keith





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]