Stephen Kent wrote:
Ed,
<snip>
I think your sample CPS, while more than a little tongue in cheek, is
a good example of what a CA may assert. But, in the DNS context, many
of the issues you note are much less serious concerns than in a
general CA context, because of the existing limitations on the names,
the existing semantics associated with names by the DNS, ...
Steve:
I am in substantial agreement with your comments, especially the last one
above. However, as I commented earlier, I believe that the DNS and the
PKI models are incompatible IF you truly want to have a PKI. The reason
is that a true PKI would need to work with multiple roots while the DNS
cannot do it. HOWEVER, since Verisign de facto controls the DNS
name space (the space that matters, anyway) AND is a CA, there is
a possibility (some might say the danger) for Verisign to use this
position to de facto control a quasi-PKI space and the domain name
space.
As a last comment, and already abusing the list patience, we need to
reinvent/revisit PKI! Changes are needed also in the DNS.
One just needs to take a look to the PKI space (and sales) to realize that
it is at a dead end, topped off. PKI experience is proving my assertion of
5 years ago that PKI cannot scale beyond a certain size and only works
in a friendly context, or in one where liabilities to the user are utterly
denied
(in the military or as US law still allows -- "user beware").
Thus, perhaps the DNS PKI experience will be good, after all. It may help
increase/motivate the need for reinventing both, PKI and the DNS.
Perhaps, in this new design, we will be able to build in that elusive trust,
which has evaporated.
Cheers,
Ed Gerck