|
Re: Global PKI on DNS?
2002-06-14 10:14:10
Ed,
Stephen Kent wrote:
Ed,
<snip>
I think your sample CPS, while more than a little tongue in cheek, is
a good example of what a CA may assert. But, in the DNS context, many
of the issues you note are much less serious concerns than in a
general CA context, because of the existing limitations on the names,
the existing semantics associated with names by the DNS, ...
Steve:
I am in substantial agreement with your comments, especially the last one
above. However, as I commented earlier, I believe that the DNS and the
PKI models are incompatible IF you truly want to have a PKI. The reason
is that a true PKI would need to work with multiple roots while the DNS
cannot do it. HOWEVER, since Verisign de facto controls the DNS
name space (the space that matters, anyway) AND is a CA, there is
a possibility (some might say the danger) for Verisign to use this
position to de facto control a quasi-PKI space and the domain name
space.
Could you elaborate, perhaps privately, with why you believe a "true
PKI" needs multiple roots?
As a last comment, and already abusing the list patience, we need to
reinvent/revisit PKI! Changes are needed also in the DNS.
One just needs to take a look to the PKI space (and sales) to realize that
it is at a dead end, topped off. PKI experience is proving my assertion of
5 years ago that PKI cannot scale beyond a certain size and only works
in a friendly context, or in one where liabilities to the user are
utterly denied
(in the military or as US law still allows -- "user beware").
Thus, perhaps the DNS PKI experience will be good, after all. It may help
increase/motivate the need for reinventing both, PKI and the DNS.
Perhaps, in this new design, we will be able to build in that elusive trust,
which has evaporated.
As you can tell from my messages, I have a broad view of what PKIs
are and what they are good for, and so I have a different spin on the
relative lack of success re PKI deployment. My view is that too many
folks have tried to get too much out of any single PKI, and that has
caused a lot of our headaches. if we admit to the need for many PKIs,
each serving a well-defined user community, then I think each of
these PKIS would be easier to create, manage, and deal with from a
liability standpoint.
if I look in my wallet, I have a lot of credentials, each issued by a
different organization. Each is useful only in certain contexts. Each
tends to uniquely identify me via a number of some sort and often
that number is meaningful only in the context for which the
credential was developed. We would be in pretty good shape if we had
PKIs that parallel these paper and plastic credentials. The security
would be better and with good software, the convenience would be
better for users. Trying to create a single PKI that issues a cert
that replaces all of these credentials is just not going to work.
Steve
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Global PKI on DNS?, (continued)
- Re: Global PKI on DNS?, Harald Koch
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Keith Moore
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?,
Stephen Kent <=
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Eric Rescorla
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Eric Rescorla
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
|
|
|