On Tue, Mar 31, 2015 at 07:10:43AM +0000, Fred Baker (fred) wrote:
On Mar 30, 2015, at 3:55 PM, Richard Shockey
<richard(_at_)shockey(_dot_)us> wrote:
The CU folks told us that this is the NUMBER 1 issue their members
complain about. Yes it is our problem because we define SIP.
I spoke with one of them in the lobby Saturday morning. I explained
how what she was calling for was a global (federated?) PKI, and she
wasn’t likely to achieve her goal without one.
How did that go over?
Was she more interested in authenticating services or users? (or both?)
But you know, we have a global, federated PKI: it's called DNSSEC.
That it wasn’t a protocol problem, as we have the protocols and
protocol support for it. All it takes is money.
Eh? Money is probably not the most-needed thing. A PKIX global
federated PKI would depend on various things, of which IMO the biggest
are:
- Universal name constraints deployment (hah)
Oh, I suppose money would help here.
and
- Partitioning of the namespace so that relatively few CAs could vouch
for any given name, and where such CAs coordinate with each other to
prevent take-overs (as with DNS, where a zone might have multiple
registrars, but with a single registry for a TLD).
This probably means having registries and registrars, as in DNS.
This requires more than money. It requires will. But..
...The thought occurs that one might as well use DNSSEC if what one
wants is a global, federated PKI.
Of course, using DNSSEC as a PKI does involve solving a variety of
[lesser, IMO] problems (last-mile issues, DANE for more protocols).
Nico
--