At 12:27 PM -0400 6/17/02, Keith Moore wrote:
> Yes, one could use the DNS merely as a repository for certs from any
PKI. But, the DNS provides a unique opportunity to take advantage of
an existing name system that is very widely used and which is
precisely the way we usually communicate the name of the machine to
which we wish to connect (or the name of the person to whom we wish
to send a message).
right, but the name is just a shorthand, it doesn't actually specify
the service to which we wish to connect. it's entirely possible that
the name-to-service binding has changed without our knowing it,
which is why it's *essential* that we don't depend on such names
as our primary identity for authenticaiton.
The name is precisely what we specify to get to the machine (or
cluster of machines) in question. So long as we use a DNS name for
that purpose, it makes sense to use a certified DNS name to verify
that we are connected to the place we said we wanted to contact.
Which services are offered at that machine is a different matter. If
I want to use certs with IPsec, then a cert with a DNS name is most
appropriate. If I want a cert for use with S/MIME, then a cert with
an RFC822 address is most appropriate, and having it be issued from a
CA that is authoritative for the DNS name on the right side of the @
is appropriate.
> Now, having said that, I acknowledge that one can have such a PKI but
not choose to have a single root for it. One could have each TLDs act
as its own root and cross certify (using name constraints) to link
the TLDs together.
What's the point of encouraging people to trust an untrustworthy structure?
Do you say the structure is untrustworthy because the TLD registrars
sometimes make mistakes? That is an inevitable side effect of any
large database system. The TLD databases ARE the reference for the
next tier name/address mapping, right or not. Anyone else acting as a
CA at this level would have to rely on those databases, or we begin
to get into the T-word big time.
What else would provide a good PKI basis for the sorts of certs I
allude to above?
Steve