Thanks for the insight, > Harald, > > You are right that the scheme I proposed inn 1422 did not succeed, > and today I would not suggest it. But, the reason I would not suggest > it today is because I have come to believe that one should adopt CAs > that are authoritative for the certs they issue, not "trusted" third > parties. The DNS root is an example of such a CA, whereas RSA > (proposed as the IPRA) was not. If we deploy DNSSEC in a full, top > down fashion, the effect is the same as what Kevin is suggesting, > expect that we would be using a standard cert format that is employed > by many security protocols. > > steve I have no problem with the DNS authorities providing the authoritative certs. Actually without saying that I was thinking that they would be authoritative for their own tree. And just as DNS lets me (servanttechnology.com) setup the servers (www, mail, etc...) in my tree I would see the CAS system giving that same authority. I do believe that a "bridge" trust between top level domains is a good solution rather than the single root CA that if compromised would compromise all certs. One difference between my vision for CAS and DNS is that DNS is expected to provide all information publicly. The CAS would be required to keep some information private. I am trying to see if there is any interest using a parallel set of servers providing basically public keys. This would parallel DNS which would continue providing IP addresses. Maybe the parallel system is overkill I'm not sure. I like it because it provides an independent path to verify certs. For example, the DNS could provide a signed response and the CAS would be act like a third party providing the public key to verify the cert. Otherwise, DNS would provide the signed cert and the public key to verify it. I'm not sure but I would like to work out a solution. DNSSEC works in addition to what I think CAS would be. The CAS cert would be for the actual server answering the question "Can I believe that you are who you say that you are?" Where the DNSSEC is mainly concerned that the DATA has a cert. It is a different approach. Also, DNSSEC refers to an undefined "trust anchor" I think CAS could fill that void. The reason I think there is need for a CAS is because DNS is beginning to use certs. E-mail is talking about it. VoIP will need to work out some mechanism too. Why not just put a general system of servers that provides services (a framework) for cert. Then every application (DNS, E-mail, VoIP, etc...) can use it to support their own PKI services requirements. As I see it, even this framework should not reinvent the wheel because work is already being done by the pkix WG. Thanks again for the feedback. Sal Salvatore Mangiapane _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf