Re: Global PKI on DNS?

At 12:27 PM -0400 6/17/02, Keith Moore wrote:

 > Yes, one could use the DNS merely as a repository for certs from any

 PKI. But, the DNS provides a unique opportunity to take advantage of
 an existing name system that is very widely used and which is
 precisely the way we usually communicate the name of the machine to
 which we wish to connect (or the name of the person to whom we wish
 to send a message).


right, but the name is just a shorthand, it doesn't actually specify
the service to which we wish to connect.  it's entirely possible that
the name-to-service binding has changed without our knowing it,
which is why it's *essential* that we don't depend on such names
as our primary identity for authenticaiton.

The name is precisely what we specify to get to the machine (orcluster of machines) in question. So long as we use a DNS name forthat purpose, it makes sense to use a certified DNS name to verifythat we are connected to the place we said we wanted to contact.Which services are offered at that machine is a different matter. IfI want to use certs with IPsec, then a cert with a DNS name is mostappropriate. If I want a cert for use with S/MIME, then a cert withan RFC822 address is most appropriate, and having it be issued from aCA that is authoritative for the DNS name on the right side of the @is appropriate.

 > Now, having said that, I acknowledge that one can have such a PKI but

 not choose to have a single root for it. One could have each TLDs act
 as its own root and cross certify (using name constraints) to link
 the TLDs  together.


What's the point of encouraging people to trust an untrustworthy structure?

Do you say the structure is untrustworthy because the TLD registrarssometimes make mistakes? That is an inevitable side effect of anylarge database system. The TLD databases ARE the reference for thenext tier name/address mapping, right or not. Anyone else acting as aCA at this level would have to rely on those databases, or we beginto get into the T-word big time.

What else would provide a good PKI basis for the sorts of certs Iallude to above?


Steve

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Global PKI on DNS?, (continued) Re: Global PKI on DNS?, Valdis . Kletnieks Re: Global PKI on DNS?, Einar Stefferud Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent <= Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Robert Elz Re: Global PKI on DNS?, Michael Richardson RE: Global PKI on DNS?, Ari Ollikainen RE: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, John Stracke