Stef,
Hi Steve -- Now we are beginning to connect with the real meta issue.
I am talking about "Trust Transitivity" in general.
We agree that the DNS offers no trust functions, useful or otherwise.
So, my focus is not on PKI as related to DNS, which is what you
addressed here.
It the fundamental issue of trust transitivity in PKI.
I will concede that PKI is transitive in terms of "connectedness" as is DNS.
Both have relations of relatedness, but this does not confer
transitivity on trust.
Trust still has to be earned, not awarded, in any case.
I am questioning the validity of the widely held assumption that trust is
(or can be) transitive in PKI (or anywhere for that matter).
So, back to my basic question:
Is trust transitive anywhere under any conditions?
I question that it is, until someone proves that:
"Trust is transitive somewhere/anywhere in real life";
and then prove that:
"Trust is transitive in PKI Theory";
and then prove that:
"Trust is transitive in PKI reality".
HINT: It will help if you can refer to some Formal Logical Theory of TRUST.
First, forget PKI and forget DNS, and show that trust is transitive
somewhere under some describable conditions. Then show that trust
is transitive in PKI.
I know that many people assume that Trust is transitive in PKI.
I am not asking about popular opinion here.
We need some formally logical facts.
If you have some, please show them to us.
Cheers...\Stef
This is getting tiresome. I have the feeling that you do not read to
the end my messages. I'll keep this short:
- I have never stated that trust is transitive; in fact, I
have given numerous talks and written a number of papers that state
the opposite, so my position has been consistent and on the record
for many years.
- although many popular PKIs (including PGP) assume on
transitive trust, this it not an intrinsic feature of PKIs.
- a PKI in which each CA is authoritative for the name space
in which it issues certs need not involve transitive trust.
- cross-certification in such a PKI need not involve trust;
it can merely represent a recognition by one CA of the authority of
another CA for a different part of a name space
In the case of DNS, where authority for each part of the name space
is well defined, I argue that having the folks who are responsible
for the domains assume the role of CA for their domains is a natural
way to create a PKI that attests only to the binding of DNS names to
keys. I maintain that this does not involve transitive trust.
Steve