Stephen Kent wrote: > Ed, > > <snip> > I think your sample CPS, while more than a little tongue in cheek, is > a good example of what a CA may assert. But, in the DNS context, many > of the issues you note are much less serious concerns than in a > general CA context, because of the existing limitations on the names, > the existing semantics associated with names by the DNS, ... Steve: I am in substantial agreement with your comments, especially the last one above. However, as I commented earlier, I believe that the DNS and the PKI models are incompatible IF you truly want to have a PKI. The reason is that a true PKI would need to work with multiple roots while the DNS cannot do it. HOWEVER, since Verisign de facto controls the DNS name space (the space that matters, anyway) AND is a CA, there is a possibility (some might say the danger) for Verisign to use this position to de facto control a quasi-PKI space and the domain name space. As a last comment, and already abusing the list patience, we need to reinvent/revisit PKI! Changes are needed also in the DNS. One just needs to take a look to the PKI space (and sales) to realize that it is at a dead end, topped off. PKI experience is proving my assertion of 5 years ago that PKI cannot scale beyond a certain size and only works in a friendly context, or in one where liabilities to the user are utterly denied (in the military or as US law still allows -- "user beware"). Thus, perhaps the DNS PKI experience will be good, after all. It may help increase/motivate the need for reinventing both, PKI and the DNS. Perhaps, in this new design, we will be able to build in that elusive trust, which has evaporated. Cheers, Ed Gerck