At 10:08 AM -0400 7/22/05, Francois Menard wrote:
I would for example not trust .travel from new.net if ICANN had
assumed control over .travel ... I should be able to pick this from
a PKI-based P2P trust chain, would I not?
Then you have created a new root, namely a combined one that you have
hand-crafted yourself. It might not sound like a root, but it truly
is. With a traditional trust anchor, the people trusting it also
trust that the anchor will have unique names beneath it. In your
proposal, you start with a group of trust anchors, and you
hand-select where there are name conflicts of names beneath two of
the anchors. In doing so, you elevate yourself to being root, and you
hide the existence of the trust anchors in your new personal
hierarchy.
At 4:16 PM +0200 7/22/05, Stephane Bortzmeyer wrote:
Since other people would have a different trust chain, this will be a
significant move from the current semantics of the DNS.
Exactly right. In the current DNS, there is essentially no one saying
"Trust Anchor A and Trust Anchor B differ on who are the name servers
for .travel, so I'm going to pick the ones from Trust Anchor A."
(FWIW, .travel just appeared in the root zone yesterday.)
I do not say that it is good or bad, just that it is a different
system than the one users are accustomed to.
Well, because it is both quite different than what we have today, and
it would be really difficult to explain to the vast majority of
internet users, I would say it would be "bad" to introduce it now. A
similar model would be fine in other contexts, but not the DNS or the
IP address space.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf