Re: Global PKI on DNS?
2002-06-17 11:47:01
At 10:53 AM -0700 6/17/02, Ed Gerck wrote:
Stephen Kent wrote:
<snip>
If I am a member of multiple communities, and if I have a cert
issued by each community for use in its context, I don't need to
communicate AMONG the communities, just within them.
Why restrict how you/I/we can communicate? The technical system
should not pass its limitations as features.
We're not talking about a communication restriction. We're talking
about whether credentials that attest to my identity in one community
are meaningful in another community. I have an ISOC member card. It
identifies me uniquely via my member number. So does my ACM card. So
does my video rental card. None of these ID numbers is useful outside
the community in which it was issued. The same would be true for
certs issued by these folks acting as CAs for their respective
communities.
<snip>I quote from your paper, with the relevant text in bold:
3.1.2. Distinguished NamesThe first question of Section 3.1. was
"who is S?", which has to be answered with a name-like attribute.
Of course, if we use natural names we will not go very far before a
similar name is found in the world population. Thus, to allow for
programs (i.e., verifiers, subjects, etc.) to deal with entities in
the Internet, it is necessary to have a "naming convention" that
may allow a unique and singular name to be used for each entity --
which is usually called a "Distinguished Name" or DN. With DNs, it
would be possible to uniquely associate entities to contract
numbers, accounts, etc., without requiring the account numbers,
etc. to be also unique. The problem is that there is no naturally
found DN for each member of the human race, computer, machine, etc.
Of course, if such a DN existed, then the reference problem in the
Internet would also not exist. But since the Internet is void of a
standard reference as we saw in Section 1, this means that the DN
question has also no extrinsic solution. DNS names are "natural" in
the Internet and provide unique IDs for machines, at the
granularity needed for the sorts of applications we are discussing.
The paper at
<http://www.mcg.org.br/cie.htm>http://www.mcg.org.br/cie.htm is
name-agnostic. That text is not in the beginning and
is NOT a problem handled by the paper. The paper just makes the
(correct) affirmation that X.500
DNs do not work as expected. The reader can use any naming
convention the reader wants --
including DNS names or DNs.
Sorry, but I didn't infer that from the text, but then I admit that I
did not read al of the paper.
<snip>Why do you say that? Any DNS name specifies a path from the
root to an node the the DNS tree, just as an X.500 DN does. What
is not hierarchic about a DNS name?
As Stef has already discussed elswhere, the DNS naming scheme is an
ontology. That is, it is hierarchical
only in that the totality of names in the tree is a hierarchy, but
there need be no meaningful relationship
between the names at any level of the DNS name tree.
DNS names bear no specific relationship to anything, hierarchical or
not. Some people want them to
represent geography, others want them to confirm to rigid product
and service categories, others want them
to be used a Directory. There are many hierarchical and
non-hierarchical relationships you can define
within the *same* DNS name space. The environment is potentially
much more complex and varied than
a relatively simple one dimensional hierarchy, inckuding: (1)
territories (e.g., cnri.reston.va.us), (2) type of
sponsoring institution (e.g., fcc.gov), or (3) a hybrid of the two
(e.g., dillons.co.uk). Because the Internet is
basically an open, distributed information system, the identifiers
aren't really tied to any physical notion of
geographical exercise of sovereignty either.
Also, contrary to DNs assigned by a RA as defined in X.509, most DNS
names are self assigned and then
are registered in some system that is used to advertise arbtrarily
assigned bindings to other entities.
Perhaps we just don't mean the same thing when we talk of names being
hierarchic. By hierarchic I mean that they have a syntax that is
mapped directly to a hierarchy, in this case a singly-rooted tree.
An authority for one part of the tree cannot assign names for another
part of the tree, because the names are always assigned relative to
the issuer's name. the examples you give above do not contradict any
of this, so I assume we're just talking about different properties of
names. I do agree that there are limits on what can infer about an
entity based on a DNS name, but these are precisely the limits we
live with by virtue of using these names to identify machines and
people, and all I am suggesting is that we improve the quality of the
binding by using certs instead of just DNS entries.
Yes, DNS names do not always adhere to strict geographic notions, but
then people have had trouble deciding how to deal appropriately with
X.500 DNs for ,multi-national companies. So, what's the big deal?
DNS names are not totally self-assigned. One is restricted in the
selection based on where one can attach in the tree. I cannot get a
name under ibm.com as an employee of BBN. The binding are not
arbitrary, in general. The MIL and GOV domains are pretty
restrictive, and EDU is not too bad. ORG and NET lost their original
meanings over time. But, my point is that a DNS name is just what it
is, nothing more, and we rely on these names every day, for better or
worse. So, why not make this reliance more secure?
Steve
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Global PKI on DNS?, (continued)
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?,
Stephen Kent <=
- Re: Global PKI on DNS?, Ed Gerck
- correction (was Re: Global PKI on DNS?), Keith Moore
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Ed Gerck
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Keith Moore
- Re: Global PKI on DNS?, Stephen Kent
- Re: Global PKI on DNS?, Keith Moore
- Re: Global PKI on DNS?, Eric A. Hall
Re: Global PKI on DNS?, Vernon Schryver
|
|
|