Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stef,

>Hi Steve -- Now we are beginning to connect with the real meta issue.
>
>I am talking about "Trust Transitivity" in general.
>We agree that the DNS offers no trust functions, useful or otherwise.
>So, my focus is not on PKI as related to DNS, which is what you 
>addressed here.
>
>It the fundamental issue of trust transitivity in PKI.
>
>I will concede that PKI is transitive in terms of "connectedness" as is DNS.
>Both have relations of relatedness, but this does not confer 
>transitivity on trust.
>Trust still has to be earned, not awarded, in any case.
>
>I am questioning the validity of the widely held assumption that trust is
>(or can be) transitive in PKI (or anywhere for that matter).
>
>So, back to my basic question:
>
>Is trust transitive anywhere under any conditions?
>
>I question that it is, until someone proves that:
>
>	"Trust is transitive somewhere/anywhere in real life";
>
>and then prove that:
>
>	"Trust is transitive in PKI Theory";
>
>and then prove that:
>
>	"Trust is transitive in PKI reality".
>
>HINT:  It will help if you can refer to some Formal Logical Theory of TRUST.
>
>First, forget PKI and forget DNS, and show that trust is transitive 
>somewhere under some describable conditions.  Then show that trust 
>is transitive in PKI.
>
>I know that many people assume that Trust is transitive in PKI.
>I am not asking about popular opinion here.
>We need some formally logical facts.
>If you have some, please show them to us.
>
>Cheers...\Stef

This is getting tiresome. I have the feeling that you do not read to 
the end my messages. I'll keep this short:

	- I have never stated that trust is transitive; in fact, I 
have given numerous talks and written a number of papers that state 
the opposite, so my position has been consistent and on the record 
for many years.

	- although many popular PKIs (including PGP) assume on 
transitive trust, this it not an intrinsic feature of PKIs.

	- a PKI in which each CA is authoritative for the name space 
in which it issues certs need not involve transitive trust.

	- cross-certification in such a PKI need not involve trust; 
it can merely represent a recognition by one CA of the authority of 
another CA for a different part of a name space

In the case of DNS, where authority for each part of the name space 
is well defined,  I argue that having the folks who are responsible 
for the domains assume the role of CA for their domains is a natural 
way to create a PKI that attests only to the binding of DNS names to 
keys. I maintain that this does not involve transitive trust.

Steve


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]