In short (go in the archive and look for GLOBAL PKI on DNS), I want to send you an e-mail so I query the DNS with the domain bbn.com and it reply to me that the PKI for this domain is located at ldap://computer.bbn.com/ I then query this ldap server to extract your public key/ certificate. The certificate of the PKI of bbn.com would have been signed by the PKI of com which would have been signed by the PKI of the root servers.
The DNS does not carry at any time a certificate (too big)
The DNS here is only offering a location service (small DNS records/transfers)
Cheers
Franck
On Sat, 2003-06-07 at 06:12, Al Arsenault wrote:
While I'm in general a fan of PKI, and agree with some of what Phill has to
say, a number of things should be kept in mind:
1 - a number of popular applications have been designed to work a large
variety of "trusted root" certificates, by default. For example, I just
popped up the list of "trusted root certificates" marked trusted by default
in IEv6. I probably miscounted, but I got 106. (YMMV, depending on
version, or if you use a different browser, or...) From a whole bunch of
different sources.
2 - a number of the entities behind those trusted roots go out of business,
or become somebody else, or... A quick quiz, based on the root certs from
IEv6 (yes, I know the answer to these questions, but I've been working in
the PKI area for over 15 years - how about most people):
- who owns the private keys associated with those 3 "GTE Cyber Trust"
root certificates?
- what is that company doing that will conclude by June 30?
- what about the private keys associated with those four "Equifax
Secure" root certificates?
- there are at least 10 trusted root certificates marked signed by
"DST". What happened to DST?
- there are six certificates marked as being from "Thawte". Who's
"Thawte"?
- what about Xcert?
|
-- Franck Martin <franck@sopac.org> SOPAC |