Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 12:27 PM -0400 6/17/02, Keith Moore wrote:
>  > Yes, one could use the DNS merely as a repository for certs from any
>>  PKI. But, the DNS provides a unique opportunity to take advantage of
>>  an existing name system that is very widely used and which is
>>  precisely the way we usually communicate the name of the machine to
>>  which we wish to connect (or the name of the person to whom we wish
>>  to send a message).
>
>right, but the name is just a shorthand, it doesn't actually specify
>the service to which we wish to connect.  it's entirely possible that
>the name-to-service binding has changed without our knowing it,
>which is why it's *essential* that we don't depend on such names
>as our primary identity for authenticaiton.

The name is precisely what we specify to get to the machine (or 
cluster of machines) in question. So long as we use a DNS name for 
that purpose, it makes sense to use a certified DNS name to verify 
that we are connected to the place we said we wanted to contact. 
Which services are offered at that machine is a different matter. If 
I want to use certs with IPsec, then a cert with a DNS name is most 
appropriate. If I want a cert for use with S/MIME, then a cert with 
an RFC822 address is most appropriate, and having it be issued from a 
CA that is authoritative for the DNS name on the right side of the @ 
is appropriate.

>  > Now, having said that, I acknowledge that one can have such a PKI but
>>  not choose to have a single root for it. One could have each TLDs act
>>  as its own root and cross certify (using name constraints) to link
>>  the TLDs  together.
>
>What's the point of encouraging people to trust an untrustworthy structure?

Do you say the structure is untrustworthy because the TLD registrars 
sometimes make mistakes? That is an inevitable side effect of any 
large database system.  The TLD databases ARE the reference for the 
next tier name/address mapping, right or not. Anyone else acting as a 
CA at this level would have to rely on those databases, or we begin 
to get into the T-word big time.

What else would provide a good PKI basis for the sorts of certs I 
allude to above?

Steve
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]