Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ed,

>Stephen Kent wrote:
>
>>  Ed,
>>
>>  <snip>
>>  I think your sample CPS, while more than a little tongue in cheek, is
>>  a good example of what a CA may assert. But, in the DNS context, many
>>  of the issues you note are much less serious concerns than in a
>>  general CA context, because of the existing limitations on the names,
>>  the existing semantics associated with names by the DNS, ...
>
>Steve:
>
>I am in substantial agreement with your comments, especially the last one
>above.  However, as I commented earlier, I believe that the DNS and the
>PKI models are incompatible IF you truly want to have a PKI.  The reason
>is that a true PKI would need to work with multiple roots while the DNS
>cannot do it.  HOWEVER, since Verisign de facto controls the DNS
>name space (the space that matters, anyway) AND is a CA, there is
>a possibility (some might say the danger) for Verisign to use this
>position to de facto control a quasi-PKI space and the domain name
>space.

Could you elaborate, perhaps privately, with why you believe a "true 
PKI" needs multiple roots?


>As a last comment, and already abusing the list patience, we need to
>reinvent/revisit PKI! Changes are needed also in the DNS.
>
>One just needs to take a look to the PKI space (and sales) to realize that
>it is at a dead end, topped off. PKI experience is proving my assertion of
>5 years ago that PKI cannot scale beyond a certain size and only  works
>in a friendly context, or in one where liabilities to the user are 
>utterly denied
>(in the military or as US law still allows -- "user beware").
>
>Thus, perhaps the DNS PKI experience will be good, after all. It may help
>increase/motivate the need for reinventing both, PKI and the DNS.
>Perhaps, in this new design,  we will be able to build in that elusive trust,
>which has evaporated.

As you can tell from my messages, I have a broad view of what PKIs 
are and what they are good for, and so I have a different spin on the 
relative lack of success re PKI deployment. My view is that too many 
folks have tried to get too much out of any single PKI, and that has 
caused a lot of our headaches. if we admit to the need for many PKIs, 
each serving a well-defined user community, then I think each of 
these PKIS would be easier to create, manage, and deal with from a 
liability standpoint.

if I look in my wallet, I have a lot of credentials, each issued by a 
different organization. Each is useful only in certain contexts. Each 
tends to uniquely identify me via a number of some sort and often 
that number is meaningful only in the context for which the 
credential was developed. We would be in pretty good shape if we had 
PKIs that parallel these paper and plastic credentials. The security 
would be better and with good software, the convenience would be 
better for users.  Trying to create a single PKI that issues a cert 
that replaces all of these credentials is just not going to work.

Steve


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]