> > > A PKI modeled on the DNS would parallel > > > the existing hierarchy and merely codify the > relationships expressed > > > by it in the form of public key certs. > > > > so what you're saying is that the cert would mean something like: > > ;-) actually, to a lawyer, a PKI cert says something like: > > [deleted] Part of the problem is that we are mixing to issues, i.e. "am I speaking to the server that is legitimely designated by the name www.example.com", and "am I speaking to the service that is supposed to manage my examples." Attaching certificates to names may solve the former; solving the latter requires that the user discovers in a trusted way the DNS name associated to the service. We know that there are many psychology-based attacks that can fool users to connect to use the wrong name; PKI certificates attached to the DNS name is not going to solve that. There is in addition an even more murky area, which is the validity of the binding over time. Some artists specialize in grabbing DNS names that their legitimate users fail to renew in time. Suddenly, www.example.com is not managing my examples anymore, it has become a gateway to a porn site. Yet, that porn portal has a perfectly valid and up-to-date PKI certificate. Amusing, isn't it? -- Christian Huitema