ietf
[Top] [All Lists]

a nit, Re: Global PKI on DNS?

2002-06-13 09:34:16

Stef's point that PKI cannot represent trust relationships
is deflected -- but not denied -- by Kent. Does this mean
that we can have a global PKI on DNS?

No.

I believe that Kent is right when he says that PKI deals with a
chain of authority, not a chain of trust.  This may seem to be an
arcane point but a chain of authority can be defined by a
self-reference and can be propagated from a single reference
to a single reference whereas a chain of trust cannot, in both
counts.  Indeed, a PKI hierarchy (and chain of authority)
is very similar to the DNS hierarchy and zone delegation
system.

There is a nit, however.

A PKI modeled on the DNS would fail to work as a PKI.  Contrary
to the DNS and as an "infrastructure", a PKI should be able to
accept --  and use -- multiple roots.   But there is no concept  of
"cross CA" certification in the DNS, which would be akin to
routing across multiple roots in the DNS. In fact, this is exactly what
the  ICANN folks set out to prevent...

Cheers,
Ed Gerck

Stephen Kent wrote:

At 10:42 PM -0700 6/12/02, Einar Stefferud wrote:
May I suggest that someone do a little work on proving the trust is
transitive, as that is what this is really all about, and if it
turns out that trust in not transitive, then what was the point?

Maybe if you ask Google about trust transitivity, you all might
learn something;-)...

Cheers..Stef

PS:  I trimmed the address list to just IETF;-)...\s


Stef,

Trust generally is not transitive, but cert chains are not about
transitive trust. The DNS is a hierarchy with clear lines of
authority for name spaces. A PKI modeled on the DNS would parallel
the existing hierarchy and merely codify the relationships expressed
by it in the form of public key certs.

Steve




<Prev in Thread] Current Thread [Next in Thread>