Thanks for the insight,
Harald,
You are right that the scheme I proposed inn 1422 did not succeed,
and today I would not suggest it. But, the reason I would not suggest
it today is because I have come to believe that one should adopt CAs
that are authoritative for the certs they issue, not "trusted" third
parties. The DNS root is an example of such a CA, whereas RSA
(proposed as the IPRA) was not. If we deploy DNSSEC in a full, top
down fashion, the effect is the same as what Kevin is suggesting,
expect that we would be using a standard cert format that is employed
by many security protocols.
steve
I have no problem with the DNS authorities providing the authoritative
certs. Actually without saying that I was thinking that they would be
authoritative for their own tree. And just as DNS lets me
(servanttechnology.com) setup the servers (www, mail, etc...) in my tree
I would see the CAS system giving that same authority. I do believe that
a "bridge" trust between top level domains is a good solution rather
than the single root CA that if compromised would compromise all certs.
One difference between my vision for CAS and DNS is that DNS is expected
to provide all information publicly. The CAS would be required to
keep some information private.
I am trying to see if there is any interest using a parallel set of
servers providing basically public keys. This would parallel DNS which
would continue providing IP addresses. Maybe the parallel system is
overkill I'm not sure. I like it because it provides an independent
path to verify certs. For example, the DNS could provide a signed
response and the CAS would be act like a third party providing the
public key to verify the cert. Otherwise, DNS would provide the
signed cert and the public key to verify it.
I'm not sure but I would like to work out a solution. DNSSEC works in
addition to what I think CAS would be. The CAS cert would be for the
actual server answering the question "Can I believe that you are who
you say that you are?" Where the DNSSEC is mainly concerned that the
DATA has a cert. It is a different approach. Also, DNSSEC refers to
an undefined "trust anchor" I think CAS could fill that void.
The reason I think there is need for a CAS is because DNS is beginning
to use certs. E-mail is talking about it. VoIP will need to work out
some mechanism too. Why not just put a general system of servers that
provides services (a framework) for cert. Then every application (DNS,
E-mail, VoIP, etc...) can use it to support their own PKI services
requirements. As I see it, even this framework should not reinvent the
wheel because work is already being done by the pkix WG.
Thanks again for the feedback.
Sal
Salvatore Mangiapane
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf