At 2:05 PM -0400 6/14/02, John Stracke wrote: > >In a system >>like DNS which makes clear who is authoritative for which names, I >>don't think the term "trust" is applicable, and that is the crux of >>our disagreement. > >The problem is that, although the owner of the domain is authoritative >for who gets to use which name, that doesn't mean their users want >them to issue certificates. The first requires that the owner trusts >the users; the second requires that the users trust the owner. And >trust is not symmetric. I see your point, but there are a lot of ways to look at this issue of in the general case. The state in which I reside determines who is authorized to issue my driver's license. The country of which I am a citizen determines who issues my passport. The employer for whom I work determines who issues my employee ID. The banks with whom I elect to have credit card relationships determine the numeric spaces fro which my credit card numbers are selected. In each case the issuer of the credential is precisely the entity who "owns" the name space in which the credential is issued. Why should a DNS-based PKI be different? As soon as you decide to allow 3rd parties to issue credentials in name spaces for which they are not authoritative, you DO introduce a whole raft of trust issues, and that makes PKIs very hard to manage and for users to understand. Maybe if I don't want my DNS cert issued by the admin for the DNS subdomain in which you "live" I should "move" to a new subdomain, a better neighborhood in cyberspace? Steve