At 2:47 PM -0400 6/13/02, Keith Moore wrote: > > A modest, realistic ambition for a DNS-based PKI would be to improve >> the security of the binding between DNS entries and the associated >> machines > >yes, I think this is right. it eliminates some kinds of threats. but >it still doesn't guarantee that you're talking to the service you think >you're talking to. and that's a difficult distinction to communicate >to users. It is unlikely that we can ever create a system that ensures that every user is " talking to the service you think you're talking to" because users can make all sorts of mistakes in trying to express who they really want to talk to. That's why I think it makes sense to settle for a more modest aim, i.e., authenticating that you are connected to the entity registered with the DNS name that you asserted that you wanted to talk to. >that and putting this much trust in the registries makes them very >attractive targets. Which registries? DNS servers are already attractive targets. Absent other forms of strong authentication, we rely on the integrity of the DNS to ensure that we are talking to who we .... Steve