At 12:51 PM -0700 6/13/02, Christian Huitema wrote: > > > > A PKI modeled on the DNS would parallel >> > > the existing hierarchy and merely codify the >> relationships expressed >> > > by it in the form of public key certs. >> > >> > so what you're saying is that the cert would mean something like: >> >> ;-) actually, to a lawyer, a PKI cert says something like: >> >> [deleted] > >Part of the problem is that we are mixing to issues, i.e. "am I speaking >to the server that is legitimely designated by the name >www.example.com", and "am I speaking to the service that is supposed to >manage my examples." Attaching certificates to names may solve the >former; solving the latter requires that the user discovers in a trusted >way the DNS name associated to the service. We know that there are many >psychology-based attacks that can fool users to connect to use the wrong >name; PKI certificates attached to the DNS name is not going to solve >that. Well said. I think there would be considerable benefit from trying to solve the former problem. The latter problem is very hard, and does enter the realm of "who do you trust" which is a very complex realm, one in which the lack of transitivity of trust becomes a big issue. >There is in addition an even more murky area, which is the validity of >the binding over time. Some artists specialize in grabbing DNS names >that their legitimate users fail to renew in time. Suddenly, >www.example.com is not managing my examples anymore, it has become a >gateway to a porn site. Yet, that porn portal has a perfectly valid and >up-to-date PKI certificate. Amusing, isn't it? Yes. But, the problems does not get better or worse with certs so long as the validity periods are matched to the renewal periods. Steve