|
Re: Global PKI on DNS?
2002-06-12 11:33:59
At 1:15 PM -0400 6/12/02, Keith Moore wrote:
> > I don't want to discount the importance of cert discovery, but I do
> think it's a stretch to believe that you're going to be willing to trust
> all of the certs that you discover in a chain of significant length, for
> a significant set of purposes.
So do you think that there's a necessary difference in trustworthiness
between the certs that you "discover" when you take your computer out of
the box, or download the latest browser, and those that you would discover
via some lookup mechanism? Even if the certs discovered via that
mechanism were associated with policies based on explicit agreements
and terms of use between your organization and the various issuers?
no, I think there's likely to be a difference in the trustworthiness
of a short chain of certs involving a small number of other parties
vs. that of a long chain of certs involving a larger number of other
parties. and if the cert discovery mechanism can incorporate
personal and/or site policy, that's great - as long as it knows
which policy to use under which circumstances.
in general I think the longer the cert chain, the narrower the applicability.
Keith
I think that it is an oversimplification to argue that shorter chains
are necessarily less trustworthy than longer ones, and this seems
especially true in this context.
if one were to create a PKI paralleling the DNS, each CA would
correspond to a component of a DNS name and each of those points is
authoritative for the naming of the entities under it. this is not a
new notion introduced by making a PKI parallel to the DNS, but is an
intrinsic feature of the DNS design. if one chose to create such a
PKI, the CAs would not be trusted third parties in the common sense
of the term. they are precisely the entities that are responsible for
managing their parts of the DNS name space and are implicitly trusted
to do so.
Those who have argued against a single root in general should note
that there are ways to have multiple entities act in a coordinated
fashion to sign on behalf of a root, which mitigates the security
concerns associated with what might appear to be a single root. But,
that does not diminish the problems noted earlier re increased
traffic for TLD DNS servers, etc. I'm just addressing tyhe security
aspects of a DNS-based PKI. Also even if one were to have a singly
rooted DNS, that does not make it the only game in town, i.e., there
should be lots of other PKIs, each with its own root and serving a
well defined constituency.
Steve
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Global PKI on DNS?, (continued)
- Re: Global PKI on DNS?, David Conrad
- Re: Global PKI on DNS?, Eric Rescorla
- Re: Global PKI on DNS?, Keith Moore
- Re: Global PKI on DNS?, RL 'Bob' Morgan
- Re: Global PKI on DNS?, Keith Moore
- Re: Global PKI on DNS?,
Stephen Kent <=
- Re: Global PKI on DNS?, Keith Moore
- Re: Global PKI on DNS?, Ben Laurie
- Re: Global PKI on DNS?, Chris Evans
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
|
|
|