Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Stephen Kent wrote:

> Your example does not require cross-certification. It only requires that the relying parties be members of, or have access to the (CA) credentials for, the communities to which the individuals belong. Cross certification is one way to accomplish this, but it is not the only way.

Cross-certification is the way to do it automatically, tamperproof and that.
But PKI does not work with cross-certification, so cross-certifcation must
not be useful ;-)

>  You keep asserting that a single root does not permit scaling, but I have yet to see a good argument supporting that assertion.

;-) for starters, just read your own emails in this thread. You mentioned at least
two reasons why a single root is not good for PKI.  My reasons include the
observation that a single point of control is also a single point of failure.  One
perverse aspect of the single root is, thus, that as the PKI grows and the single root
gathers all the liability there is a point after which the liability at that single root
may not even be insurable. Just think of it: all world e-commerce compromised because
of one snafu at one point?  This would be involution, not evolution.

> In part this seems to result from your approach to defining a PKI, a definition not consistent with most others in the literature.

I have not defined what a PKI is.  I guess there are already plenty of definitions
around.  I just said that a PKI would need to be an infrastructure -- that pesky
"I" at the end of PKI.

But failure to be an infrastructure is IMO one of the reasons why PKI is at a dead
end.  The DNS, OTOH, is an infrastructure.  Mixing both will reduce the infrastructure
property of the DNS, reduce interoperation and alienate business drivers.

There are many problems with the DNS, surely.  I have catalogued more than forty
serious problems.  But the DNS has scaled from 10^4 users to almost 10^8 users
without much change.  We should be careful in adding a limited technology such
as PKI to the DNS.  The converse seems to be more reasonable -- using the DNS to
add distribution channels (for certs and revocation information) to a PKI.  This can
be done right now.

Cheers,
Ed Gerck





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]