ietf
[Top] [All Lists]

Re: Global PKI on DNS?

2002-06-19 09:50:15
At 6:17 PM -0400 6/16/02, Keith Moore wrote:
 > Multiple cert paths do not necessarily make for more trust, but they
 do add enough complexity to make the system unscaleable, not to
 mention the revocation issues ...

uuh.  A single root CA definitely doesn't scale, because there is no CA
that everyone can trust.  There might be scalability issues with multiple
paths, but they're not as fundamental as that.

Keith,

If explicit trust is required I agree, but in the DNS case we already
have a singly-rooted tree that everyone relies upon. if you want to
use the word "trust" then we all trust the root for DNS, but I think
the term is not applicable here.

if we created a DNS-based PKI, we would be relying on the correct
operation of each of the DNS domains for secure identification, in
lieu of relying on them for insecure identification.

Steve



<Prev in Thread] Current Thread [Next in Thread>