On Tue, Mar 31, 2015 at 07:10:43AM +0000, Fred Baker (fred) wrote: > > On Mar 30, 2015, at 3:55 PM, Richard Shockey <richard@xxxxxxxxxx> wrote: > > The CU folks told us that this is the NUMBER 1 issue their members > > complain about. Yes it is our problem because we define SIP. > > I spoke with one of them in the lobby Saturday morning. I explained > how what she was calling for was a global (federated?) PKI, and she > wasn’t likely to achieve her goal without one. How did that go over? Was she more interested in authenticating services or users? (or both?) But you know, we have a global, federated PKI: it's called DNSSEC. > That it wasn’t a protocol problem, as we have the protocols and > protocol support for it. All it takes is money. Eh? Money is probably not the most-needed thing. A PKIX global federated PKI would depend on various things, of which IMO the biggest are: - Universal name constraints deployment (hah) Oh, I suppose money would help here. and - Partitioning of the namespace so that relatively few CAs could vouch for any given name, and where such CAs coordinate with each other to prevent take-overs (as with DNS, where a zone might have multiple registrars, but with a single registry for a TLD). This probably means having registries and registrars, as in DNS. This requires more than money. It requires will. But.. ...The thought occurs that one might as well use DNSSEC if what one wants is a global, federated PKI. Of course, using DNSSEC as a PKI does involve solving a variety of [lesser, IMO] problems (last-mile issues, DANE for more protocols). Nico --