Re: Global PKI on DNS?

At 3:32 PM -0700 6/14/02, Einar Stefferud wrote:
> Ok, we are getting somewhere now.
>
> So, I ask, where does trust come from in PKI if not from 
> transmission via some 3rd party CERT issuer, which I understand to 
> be a use of transitivity of trust from the CERT buyer, though the CA 
> to the relying party.
> Maybe this is is erroneous thinking, but if so, please explain how 
> the trust information is passed from the CERT holder through the CA 
> to the cert recipient who will use if as a basis of trust.  To me, 
> this looks like transitivity.
> A trusts B; C Trusts A; therefore C trusts B????
>
> Cheers...\Stef
Stef,

A public key cert is a digitally signed attestation by a CA, binding 
attributes to a public key. It is a digital credential. We deal with 
physical credentials all the time and in most cases we don't ask 
whether we trust the issuer of the credential to correctly issue the 
credential, although there are exceptions. More often we worry about 
the integrity of the credential pre se, e.g., how hard is it to forge 
a credential.
I feel that the term "trust" is appropriately applied to certs when 
the CA is not authoritative for the attributes in the cert, but is 
not appropriate when the CA is authoritative.
By analogy, we normally do not say that we "trust" an employer to 
identify its employees or the U.S. State Dept. to identify U.S. 
citizens. They are authoritative as credential issuers and thus the 
term trust, while potentially applicable, is not commonly applied, 
i.e., it is implicit.
Steve