At 6:17 PM -0400 6/16/02, Keith Moore wrote: > > Multiple cert paths do not necessarily make for more trust, but they >> do add enough complexity to make the system unscaleable, not to >> mention the revocation issues ... > >uuh. A single root CA definitely doesn't scale, because there is no CA >that everyone can trust. There might be scalability issues with multiple >paths, but they're not as fundamental as that. Keith, If explicit trust is required I agree, but in the DNS case we already have a singly-rooted tree that everyone relies upon. if you want to use the word "trust" then we all trust the root for DNS, but I think the term is not applicable here. if we created a DNS-based PKI, we would be relying on the correct operation of each of the DNS domains for secure identification, in lieu of relying on them for insecure identification. Steve