Re: Global PKI on DNS?
2002-06-17 07:13:59
At 3:32 PM -0700 6/14/02, Einar Stefferud wrote:
Ok, we are getting somewhere now.
So, I ask, where does trust come from in PKI if not from
transmission via some 3rd party CERT issuer, which I understand to
be a use of transitivity of trust from the CERT buyer, though the CA
to the relying party.
Maybe this is is erroneous thinking, but if so, please explain how
the trust information is passed from the CERT holder through the CA
to the cert recipient who will use if as a basis of trust. To me,
this looks like transitivity.
A trusts B; C Trusts A; therefore C trusts B????
Cheers...\Stef
Stef,
A public key cert is a digitally signed attestation by a CA, binding
attributes to a public key. It is a digital credential. We deal with
physical credentials all the time and in most cases we don't ask
whether we trust the issuer of the credential to correctly issue the
credential, although there are exceptions. More often we worry about
the integrity of the credential pre se, e.g., how hard is it to forge
a credential.
I feel that the term "trust" is appropriately applied to certs when
the CA is not authoritative for the attributes in the cert, but is
not appropriate when the CA is authoritative.
By analogy, we normally do not say that we "trust" an employer to
identify its employees or the U.S. State Dept. to identify U.S.
citizens. They are authoritative as credential issuers and thus the
term trust, while potentially applicable, is not commonly applied,
i.e., it is implicit.
Steve
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Global PKI on DNS?, (continued)
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?,
Stephen Kent <=
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Alex Audu
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Einar Stefferud
- Re: Global PKI on DNS?, Chris Evans
- Re: Global PKI on DNS?, Alex Audu
- Re: Global PKI on DNS?, Stephen Kent
|
|
|