Re: Global PKI on DNS?

At 2:47 PM -0400 6/13/02, Keith Moore wrote:

 > A modest, realistic ambition for a DNS-based PKI would be to improve

 the security of the binding between DNS entries and the associated
 machines


yes, I think this is right.  it eliminates some kinds of threats. but
it still doesn't guarantee that you're talking to the service you think
you're talking to. and that's a difficult distinction to communicate
to users.

It is unlikely that we can ever create a system that ensures thatevery user is " talking to the service you think you're talking to"because users can make all sorts of mistakes in trying to express whothey really want to talk to. That's why I think it makes sense tosettle for a more modest aim, i.e., authenticating that you areconnected to the entity registered with the DNS name that youasserted that you wanted to talk to.

that and putting this much trust in the registries makes them very
attractive targets.

Which registries? DNS servers are already attractive targets. Absentother forms of strong authentication, we rely on the integrity of theDNS to ensure that we are talking to who we ....


Steve

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Global PKI on DNS?, (continued) Re: Global PKI on DNS?, Einar Stefferud Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Einar Stefferud Re: Global PKI on DNS?, Chris Evans Re: Global PKI on DNS?, Alex Audu Re: Global PKI on DNS?, Stephen Kent a nit, Re: Global PKI on DNS?, Ed Gerck Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent <= Re: Global PKI on DNS?, Harald Koch Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Ed Gerck Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Ed Gerck Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Ed Gerck Re: Global PKI on DNS?, Eric Rescorla Re: Global PKI on DNS?, Ed Gerck