|
Re: Global PKI on DNS?
2002-06-13 11:24:19
At 9:08 AM -0700 6/13/02, Einar Stefferud wrote:
I understand clearly about chains of authority and about the lack of
trust transitivity.
The rest of your message strongly suggests that you don't.
What makes a DNS delegation of naming zone authority into a trust
transitivity vehicle.
I assume there was an implied question mark above.
Why should I trust VeriSign to vouch for my reasons to trust you?
I think you may be falling into a common trap, i.e., assuming that
PKIs must be based on explicit trust in CAs. A trusted third party
public CA, which is what VeriSign is primarily know as, does require
explicit trust, because it is not authoritative for the identities
for which it vouches. However, the entities that operate domains in
the DNS are authoritative for the names in their subdomains. If they
act as CAs, there is no explicit trust requirement. With suitable
controls (specifically, use of the NameConstraints extension) these
CAs can not issue certs (that will be considered valid) for entities
outside of their name spaces. Thus they cannot do any worse than they
can do today, in terms of basic assertions about the binding between
a name and an address. The primary motivation I see for a DNS-based
PKI is to provide a basis for better security for these bindings, in
support of PKI-enabled applications.
When you turn out to have a bogus CERT, after I have trusted you,
and I go to VERISIGN seeking redress for trusting them and their
breach of my trust, what do they offer me other than the simple
statement that
"Go away! You do not have a contract with us!"
"Our contract is only with the CERT holder!"
"And we have disclaimed all liability to him as well."
Are you referring to VeriSign as a public CA or VeriSign as the owner
of NSI, and operator of .COM and several other TLDs? There is a big
difference.
In either case, you seem to be assuming that liability must be
associated with issuance of these certs, which need not be the case.
not all certs are for use with applications that support
non-repudiation. one could adopt a cert policy, and express it in the
DNS certs, to minimize the liability associated with their use. if
the goal is to use certs to improve the quality of host & user
authentication, that need not imply any new liabilities compared to
what is implied by current DNS management.
And when I go to ICANN for redress, because they supposedly vouched
for their delegated authority to run a DNS Zone, they say:
"Sorry, this has nothing to do with us!"
"We are not a party to any liability here!"
"We only deal with DNS Zones, and do not
Vouch for the data contained there-in,
because we do not verify it in delegated zones!"
So, what is it about DNS delegations that give you reason to inform
this list that trust is transitive in the DNS?
You are the one who keeps saying that trust is transitive. I'm the
one saying that it's not, and that a DNS-based PKI does not imply
transitive trust.
<rest of message deleted, since it didn't say anything new,
constructive, or generally relevant to the topic ...
Steve
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Global PKI on DNS?, (continued)
- Re: Global PKI on DNS?, Ben Laurie
- Re: Global PKI on DNS?, Chris Evans
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?,
Stephen Kent <=
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
|
|
|