Ed, >Stephen Kent wrote: > >> Ed, >> >> <snip> >> I think your sample CPS, while more than a little tongue in cheek, is >> a good example of what a CA may assert. But, in the DNS context, many >> of the issues you note are much less serious concerns than in a >> general CA context, because of the existing limitations on the names, >> the existing semantics associated with names by the DNS, ... > >Steve: > >I am in substantial agreement with your comments, especially the last one >above. However, as I commented earlier, I believe that the DNS and the >PKI models are incompatible IF you truly want to have a PKI. The reason >is that a true PKI would need to work with multiple roots while the DNS >cannot do it. HOWEVER, since Verisign de facto controls the DNS >name space (the space that matters, anyway) AND is a CA, there is >a possibility (some might say the danger) for Verisign to use this >position to de facto control a quasi-PKI space and the domain name >space. Could you elaborate, perhaps privately, with why you believe a "true PKI" needs multiple roots? >As a last comment, and already abusing the list patience, we need to >reinvent/revisit PKI! Changes are needed also in the DNS. > >One just needs to take a look to the PKI space (and sales) to realize that >it is at a dead end, topped off. PKI experience is proving my assertion of >5 years ago that PKI cannot scale beyond a certain size and only works >in a friendly context, or in one where liabilities to the user are >utterly denied >(in the military or as US law still allows -- "user beware"). > >Thus, perhaps the DNS PKI experience will be good, after all. It may help >increase/motivate the need for reinventing both, PKI and the DNS. >Perhaps, in this new design, we will be able to build in that elusive trust, >which has evaporated. As you can tell from my messages, I have a broad view of what PKIs are and what they are good for, and so I have a different spin on the relative lack of success re PKI deployment. My view is that too many folks have tried to get too much out of any single PKI, and that has caused a lot of our headaches. if we admit to the need for many PKIs, each serving a well-defined user community, then I think each of these PKIS would be easier to create, manage, and deal with from a liability standpoint. if I look in my wallet, I have a lot of credentials, each issued by a different organization. Each is useful only in certain contexts. Each tends to uniquely identify me via a number of some sort and often that number is meaningful only in the context for which the credential was developed. We would be in pretty good shape if we had PKIs that parallel these paper and plastic credentials. The security would be better and with good software, the convenience would be better for users. Trying to create a single PKI that issues a cert that replaces all of these credentials is just not going to work. Steve