I don't doubt that you were using PKI to mean more than X.509 PKI because,
among other things, the web page references PGP. That' fine, but since
asrg is a _research_ group, I don't think we want to limit ourselves to
public-key cryptosystems that require an infrastructure, particularly
during a requirements phase of work.
Mark
At 09:29 AM 11/17/2003, Hallam-Baker, Phillip wrote:
I was using the term PKI in a very general sense rather than as a synonym
for X.509v3/PKIX. As you may be aware I am the principal advocate of key
centric PKI with the XKMS protocol.
In this particular case I do not see that there is a huge value to making
the distinction. The real issue is accreditation of the sender entity,
whether it be an ISP or an Enterprise sending email. That is the step that
provides the risk reduction. At a minimum you want to establish that if the
email turns out to be spam you know where to find the sender.
[Here I will resist telling the story involving the Chaos Computer Club, the
Pick'n Pack bar, some irate system administrators and a number of baseball
bats]
The accreditation of the sender entity requires an infrastructure, even if
you do not use public key. That is where all the incremental costs are at
any rate.
I will accept that we could use public key for authentication only without
using an accreditation infrastructure. So in this scenario we would put the
hash of a public key in the DNS and sign each message.
I don't see a great deal of advantage to this configuration unless DNSSEC is
also deployed. If you fear a spammer spoofing the LMAP record then you also
have to fear spoofing of the delegation.
This gets us into a whole can of worms. First DNSSEC if deployed from the
root is unquestionably a PKI. It has all the problems of PKI deployment -
how to convince ICANN and the registrars to participate in PKI deployment.
In addition we have a specification that is uneconomic to deploy in large
zones. So instead of DNSSEC being a low cost alternative to X.509 PKI the
current specs would require key registration to be considerably more
expensive.
Phill
> -----Original Message-----
> From: Mark Baugher [mailto:mbaugher(_at_)cisco(_dot_)com]
> Sent: Monday, November 17, 2003 10:48 AM
> To: Hallam-Baker, Phillip
> Cc: asrg(_at_)ietf(_dot_)org
> Subject: RE: [Asrg] 6. Proposals
>
>
> Phill
> Thanks for posting this. I have not had enough time to
> review it but
> have some opinions from my first read. My first comment is
> that you use
> "PKI" in place of "PKC" but the latter is the more general
> technology and
> we should keep our options open at this point.
>
> Mark
> At 07:16 PM 11/14/2003, Hallam-Baker, Phillip wrote:
> >I have no idea where the attached fits in the hierarchy. It
> is a survey of
> >various approaches to authentication and accreditation.
> Members may wish to
> >read and comment.
> >
> >The format is HTML, lets see if the mailing list will take it.
> >
> > Phill
> >
>
>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg