Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




on 6/14/2002 11:29 AM Ed Gerck wrote:

> since Verisign de facto controls the DNS name space

Having any [registry-X] control [TLD-Y] at any given moment is a whole
'nother set of issues. EG, if the registry operator for a TLD changes,
would the private key linked to the TLD also need to be changed?

I'd say that the only way to meld these technologies is to use DNS as a
locator for a self-signed root certificate associated with a domain.
Caveat being that even then you are at the mercy of the signer. You don't
know if you are talking with fred@example.com or if you are really talking
to bofh@example.com who has access to the repository. Likewise, you don't
know if you are talking with mailserver.example.com or if you are talking
to bofh-pc.example.com. And there's still the problem of ensuring the
integrity of the link between the DNS referral and how you get to the CA
authority; maybe bofh@hosting.example.net has hijacked the target machine,
or maybe he is running a different copy of the zone and is happy to
redirect "only" half of the traffic.

About the only thing you could use this for is to prove that you aren't
talking to something -- they haven't been able to obtain a copy of the
private key, legitimately or otherwise -- meaning that it would
essentially be PTR/A validation on steriods. It could also be useful for
negotiating transport security services and a limited amount of identity
information (similar to what you get from PTR/A validation) but would not
be useful for any explicit identity information. Some sort of external
notary service is still necessary for that.

Of course the universe is at the mercy of network operator integrity
already so maybe this is ok.

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]