At 10:08 AM -0400 7/22/05, Francois Menard wrote:
I would for example not trust .travel from new.net if ICANN had assumed control over .travel ... I should be able to pick this from a PKI-based P2P trust chain, would I not?
Then you have created a new root, namely a combined one that you have hand-crafted yourself. It might not sound like a root, but it truly is. With a traditional trust anchor, the people trusting it also trust that the anchor will have unique names beneath it. In your proposal, you start with a group of trust anchors, and you hand-select where there are name conflicts of names beneath two of the anchors. In doing so, you elevate yourself to being root, and you hide the existence of the trust anchors in your new personal hierarchy.
At 4:16 PM +0200 7/22/05, Stephane Bortzmeyer wrote:
Since other people would have a different trust chain, this will be a significant move from the current semantics of the DNS.
Exactly right. In the current DNS, there is essentially no one saying "Trust Anchor A and Trust Anchor B differ on who are the name servers for .travel, so I'm going to pick the ones from Trust Anchor A." (FWIW, .travel just appeared in the root zone yesterday.)
I do not say that it is good or bad, just that it is a different system than the one users are accustomed to.
Well, because it is both quite different than what we have today, and it would be really difficult to explain to the vast majority of internet users, I would say it would be "bad" to introduce it now. A similar model would be fine in other contexts, but not the DNS or the IP address space.
--Paul Hoffman, Director --VPN Consortium _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf