Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Yes, one could use the DNS merely as a repository for certs from any
> PKI. But, the DNS provides a unique opportunity to take advantage of
> an existing name system that is very widely used and which is
> precisely the way we usually communicate the name of the machine to
> which we wish to connect (or the name of the person to whom we wish
> to send a message). 

right, but the name is just a shorthand, it doesn't actually specify
the service to which we wish to connect.  it's entirely possible that
the name-to-service binding has changed without our knowing it,
which is why it's *essential* that we don't depend on such names 
as our primary identity for authenticaiton.

> Now, having said that, I acknowledge that one can have such a PKI but
> not choose to have a single root for it. One could have each TLDs act
> as its own root and cross certify (using name constraints) to link
> the TLDs  together. 

What's the point of encouraging people to trust an untrustworthy structure?  

Keith


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]