Re: Global PKI on DNS?

Stef,

> Thank You Steve for clarifying your simple little error and 
> correcting the record on what I did or did not say.  I admit that 
> the error was small in commission but you must admit that it was 
> huge in affect, so it is good for you to corrected the record.
> I will assume that it was not intentional.
no, it was not intentional.

> Now, all I did was ask you to offer proof that trust is ever 
> transitive, as a separate sub-question of the general debate, 
> because in my view, this question is central to the reasons for 
> bothering to discuss the rest of this thread.
> In short, if trust cannot be proved to be transitive, like DNS zone 
> control delegation is transitive, then there is no reason to 
> continue with PKI designs that ASSUME TRUST IS TRANSITIVE.

        <snip>

The essence of our disagreement is that I don't view the relationship 
between the CAs in a DNS-based PKI to be one of trust. We rely on DNS 
admins to correctly bind addresses to names in the zones they 
control. This is the seenace of the semantics of DNS operation. If 
these folks acted as CAs, we would rely on them in the same fashion 
to bind the same names to public keys, which just provides a secure 
mechanism to effect the binding of the name.  If we don't call the 
first relationship trust, then I don't feel we should call the second 
one a trust relationship either.
You uses the term "delegation" above and that's critical. In a system 
like DNS which makes clear who is authoritative for which names, I 
don't think the term "trust" is applicable, and that is the crux of 
our disagreement.
Pn a less polite note, your line of argument has been to saddle me 
with a need to prove something that I have never asserted, which is 
pretty silly, at best. It's not surprising that I continue to decline 
to take a side of a debate that you have tried to define for me and 
which does not represent my position.
Steve