Re: Global PKI on DNS?

 > Yes, one could use the DNS merely as a repository for certs from any

 PKI. But, the DNS provides a unique opportunity to take advantage of
 an existing name system that is very widely used and which is
 precisely the way we usually communicate the name of the machine to
 which we wish to connect (or the name of the person to whom we wish
 to send a message).


right, but the name is just a shorthand, it doesn't actually specify
the service to which we wish to connect.  it's entirely possible that
the name-to-service binding has changed without our knowing it,
which is why it's *essential* that we don't depend on such names
as our primary identity for authenticaiton.


The name is precisely what we specify to get to the machine (or
cluster of machines) in question. So long as we use a DNS name for
that purpose, it makes sense to use a certified DNS name to verify
that we are connected to the place we said we wanted to contact.


no it doesn't.  because even if the name is what we type in, it's
not what determines whether we actually talked to the service we
wanted to talk to.  it's not what determines whether we trust the results.

Which services are offered at that machine is a different matter.


actually the user is rarely concerned about machines these days, he/she 
is almost always concerned with which service he/she is talking to.
the mapping between machines and services is almost arbitrary.

What's the point of encouraging people to trust an untrustworthy structure?


Do you say the structure is untrustworthy because the TLD registrars
sometimes make mistakes?


Yes, among other reasons.  
Especially if you mean 'mistakes were made' in the Nixon sense.

But there's also the fairly fundamental problem that if you trust
the DNS PKI you're placing your trust in one or more parties with 
which you have no relationship, and no basis for trusting them.

This trust is abused enough already, but at present the gTLDs 
actually have only the barest of mechanisms for manipulating us.  
Give them more influence and they'll abuse it even more.

What else would provide a good PKI basis for the sorts of certs I
allude to above?


IMHO the very notion of a global PKI is fatally flawed.
OTOH limited-scope PKIs can be quite useful.

Keith

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Global PKI on DNS?, (continued) Re: Global PKI on DNS?, Einar Stefferud Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore <= Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Robert Elz Re: Global PKI on DNS?, Michael Richardson RE: Global PKI on DNS?, Ari Ollikainen RE: Global PKI on DNS?, Stephen Kent Re: Global PKI on DNS?, John Stracke Re: Global PKI on DNS?, Stephen Kent