On Mon, 15 Dec 2003 12:47:43 +1200, Franck Martin said: > Hmmm, we talked about some of it... > > look in the IETF archives on "Global PKI on DNS?" Paul, Keith, and myself have bounced a few e-mails in private back and forth, and unless I'm totally mis-forgetting that thread, what we're discussing is a totally different problem. As it turns out, Paul and I are actually in somewhat of an agreement - we were playing "blind man and an elephant" for a while, since Paul and I were approaching the same thing from different ends. Paul is totally correct in that the currently understood methods of doing PKI are totally sufficient for dealing with a bit string that represents a trust relationship. All three of us seem to be in agreement that nobody truly understands how to actually create said bit string for a general case - and that's not the PKI's fault, because it's ready. The problem is that the liveware insists on using very fuzzy definitions of "trust" in the real world, and we haven't figured out how to express those real world considerations into a bit string. Keith had a very nice set of "I trust" statements a few messages back, which exhibit the problem quite nicely - for instance, "I trust state agencies to make statements about which they have authority" parses quite nicely in English, and has semantics only because we understand 'state agencies' and 'authority'. Therein lie the booby traps - although I can understand Keith's statement, computer software that tries to deal with it in my locality may get tripped up by the fact that technically, I live in a commonwealth. And that's just the tip of the semantic iceberg. (Keith, Paul - yell if I've misrepresented your positions.. ;) As Masataka Ohta notes, the result is a lot of small PK structures that are able to encode a very small, limited subset of trust relationships.
Attachment:
pgp00373.pgp
Description: PGP signature