Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 11:58 AM -0400 6/25/02, Keith Moore wrote:
>  > We seem to agree that the DNS could be sued to distribute certs, so
>>  the question is what should the certs attest to and who should issue
>>  them. I argue that we need certs that support validation of DNS
>>  bindings,  and that the only authoritative sources for that info are
>>  the folks who manage the DNS.
>
>and there is no assurance that they're trustworthy.

since trustworthiness is a relative term, that can always be said 
about any CA.  that's why I don't like dealing with CAs based on 
trust. authoritativeness is a quality that is less contentious in 
many contexts, including this one.


>  > Anyone else is a TTP, with all the
>>  problems that implies.
>
>the problems associated with TTPs may actually be less than the problems
>associated with implicitly trusting the TLDs.  you *choose* whether to
>trust a TP.  limited trust of the TLDs is essentially forced on you,
>but it's a mistake to extend that trust beyond the minimum necessary.

and a DNS-based PKI would not require anyone to trust it. people 
could choose to make use of it, or could continue to make use of the 
insecure system we have today. nobody said that making use of the 
certs would be mandatory; it would be an option we currently do not 
have.

you fear that people would decide to rely on this new aspect of the 
infrastructure and you think that, because of the specific 
organizations operating some TLDs, that this would be a bad choice. 
but, since we agree that people implicitly rely on it anyway, I don't 
see the change as a a bad one.

>it's one thing to get an address RR of a server from a TLD. you still
>have the opportunity to authenticate that server via other means that
>you trust.  the worst the TLD can do in this case is a DoS attack.
>
>OTOH if the TLD has the capability of issuing a bogus cert for the
>server you want to contact, and you are foolish enough to trust it,
>you're screwed.  and the TLDs will mislead the public into trusting
>them, because they'll be the "obvious" choice, and because there's
>nobody to keep them honest.

if you really do have viable means of independently verifying the 
accuracy of the binding, then you can always choose to employ them. I 
think that such means are rare in practice. but, in any case, these 
means could still be available.

>this is why a DNS-based PKI is a Bad Idea. 
>
>OTOH being able to access TP certs via DNS could be quite useful.
>
>the most trust that should be invested in the TLDs (or any zone)
>should be the ability to authenticate the RRs in their zone,
>and specifically NOT to authenticate servers.  and we don't need
>a DNS PKI to authenticate RRs, we have other mechanisms for that.

let's just say we disagree.

Steve


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]