At 11:58 AM -0400 6/25/02, Keith Moore wrote:
> We seem to agree that the DNS could be sued to distribute certs, so
the question is what should the certs attest to and who should issue
them. I argue that we need certs that support validation of DNS
bindings, and that the only authoritative sources for that info are
the folks who manage the DNS.
and there is no assurance that they're trustworthy.
since trustworthiness is a relative term, that can always be said
about any CA. that's why I don't like dealing with CAs based on
trust. authoritativeness is a quality that is less contentious in
many contexts, including this one.
the question is why IETF should endorse the idea of TLDs (or other
zones) being CAs when that is not needed to authenticate the RRs for
which the zones are responsible.
and a DNS-based PKI would not require anyone to trust it.
no, but IETF would be blessing the idea of TLDs becoming CAs when
this is not necessary for them to serve their function, and then
saying on the other hand "of course it's your choice about whether
to trust them". it reminds me of the "voluntary" income-tax
collection system we have in the US.
you fear that people would decide to rely on this new aspect of the
infrastructure and you think that, because of the specific
organizations operating some TLDs, that this would be a bad choice.
no, it's not *because* of the specific organizations. however
specific organizations have demonstrated that TLDs are not necessarily
trustworthy.
or to put it another way, the trustworthiness of the DNS system as
a whole is maximized if the shared zones (those that are not delegated
to a single private individual or organization) are not given more
responsibility or authority than absolutely necessary.
Keith