Re: Global PKI on DNS?

At 9:51 AM -0700 6/17/02, Ed Gerck wrote:
> Stephen Kent wrote:
>
> >  At 2:29 PM -0700 6/14/02, Ed Gerck wrote:
> >  >Stephen Kent wrote:
> >  >
> >  >>  My examples of disjoint credential spaces in the physical world are
> >  >>  not unified and they ought not be.  There usually is no incentive for
> >  >>  the issuers to cross certify in most cases for these separate roots,
> >  >>  and it creates new liability concerns, and raises trust issues.
> >  >
> >  >OTOH, it is a problem if you want to talk outside of your gopher hole ;-)
> >
> >  I anticipate belonging to a lot of communities (PKIs), just as I do today.
> and you anticipate having the same problems to communicate among them ;-)
> Instead, why not solve the problems ...
If I am a member of multiple communities, and if I have a cert issued 
by each community for use in its context, I don't need to communicate 
AMONG the communities, just within them.
>                 <SNIP>
>  >
> >  I don't agree. I looked briefly at your reference (cited below) and
> >  it begins by arguing about the difficulty of naming things uniquely
> >  in the Internet. But in the DNS context, this is a solved problem, so
> >  I don't think the extensive analysis you provide is applicable here.
> ;-) there is not such beginning. Either you did not reach the correct
> site/paper or you need to read it.
I quote from your paper, with the relevant text in bold:

3.1.2. Distinguished Names
The first question of Section 3.1. was "who is S?", which has to be 
answered with a name-like attribute. Of course, if we use natural 
names we will not go very far before a similar name is found in the 
world population. Thus, to allow for programs (i.e., verifiers, 
subjects, etc.) to deal with entities in the Internet, it is 
necessary to have a "naming convention" that may allow a unique and 
singular name to be used for each entity -- which is usually called a 
"Distinguished Name" or DN. With DNs, it would be possible to 
uniquely associate entities to contract numbers, accounts, etc., 
without requiring the account numbers, etc. to be also unique. The 
problem is that there is no naturally found DN for each member of the 
human race, computer, machine, etc. Of course, if such a DN existed, 
then the reference problem in the Internet would also not exist. But 
since the Internet is void of a standard reference as we saw in 
Section 1, this means that the DN question has also no extrinsic 
solution.
DNS names are "natural" in the Internet and provide unique IDs for 
machines, at the granularity needed for the sorts of applications we 
are discussing.
>                 <SNIP>
>  > >
> >  >The DNS names do not have the same hierarchy that one associates
> >  >per X.509/X.500 witth a DN.  The DNS is less than a single rooted tree
> >  >because there are no neccessarily hierarchical dependencies, just
> >  >hierarchical placements.
> >
> >  Huh? Both DNS and X.500 use hierarchic names allocated in a
> >  distributed fashion from a singly rooted tree. We have a convention
> >  for how to map DNS names to DNs, using the DC attribute. I do not
> >  understand the phrase "there are no neccessarily [sic] hierarchical
> >  dependencies, just hierarchical placements"
> Apparently, you believe that DNS names are X.500 names are somehow
> similar ("use hierarchic names allocated in a distributed fashion from a
> singly rooted tree'). They are not -- DNS names do not to a hierarchy
> belong.
Why do you say that? Any DNS name specifies a path from the root to 
an node the the DNS tree, just as an X.500 DN does.  What is not 
hierarchic about a DNS name?
Steve