ietf
[Top] [All Lists]

RE: Global PKI on DNS?

2002-06-13 15:24:39
You gents have way too much time on your hands..... this list should be used
as a means to assist with questions regarding technologies ... not used as a
forum for posturing....

-----Original Message-----
From: Christian Huitema [mailto:huitema(_at_)windows(_dot_)microsoft(_dot_)com]
Sent: Thursday, June 13, 2002 2:52 PM
To: Ed Gerck; Keith Moore
Cc: Stephen Kent; Einar Stefferud; ietf
Subject: RE: Global PKI on DNS?



A PKI modeled on the DNS would parallel
the existing hierarchy and merely codify the 
relationships expressed
by it in the form of public key certs.

so what you're saying is that the cert would mean something like:

;-) actually, to a lawyer, a PKI cert says something like:

[deleted]

Part of the problem is that we are mixing to issues, i.e. "am I speaking
to the server that is legitimely designated by the name
www.example.com", and "am I speaking to the service that is supposed to
manage my examples." Attaching certificates to names may solve the
former; solving the latter requires that the user discovers in a trusted
way the DNS name associated to the service. We know that there are many
psychology-based attacks that can fool users to connect to use the wrong
name; PKI certificates attached to the DNS name is not going to solve
that.

There is in addition an even more murky area, which is the validity of
the binding over time. Some artists specialize in grabbing DNS names
that their legitimate users fail to renew in time. Suddenly,
www.example.com is not managing my examples anymore, it has become a
gateway to a porn site. Yet, that porn portal has a perfectly valid and
up-to-date PKI certificate. Amusing, isn't it?

-- Christian Huitema



<Prev in Thread] Current Thread [Next in Thread>