I said:
Unless I entirely misunderstand this thread, he is saying that the
DNS can be trusted to maintain the binding between my host's public
key and my host's name--WITHOUT using a signed certificate. Before I
die choking on my morning coffee, I would like to know something:
What assurance features and mechanisms [are proposed] to
make us trust all the servers in the worldwide DNS system that much?
Someone replied privately to me:
If I read him correctly, he's assuming a trusted connection to a server
which has been vouched for by some other trusted server, over a trusted
connection. That setup is equivalent to a certificate hierarchy but with
trusted, encrypted channels over which you learn keys substituting for
signatures of those keys.
...
I'm not pushing this system -- just trying to read his message and answer
your question.
That was not my question. My question was
What assurance features or mechanisms are going to be used
throughout the DNS that will make all of us trust all of
those servers for all of our applications?
Are we going to mandate that all DNS nodes must satisfy TCSEC Class B3; be
locked in ISOC certified, inspected, and bonded rooms; receive keys only
via notary publics and registered mail; have all mass storage encrypted for
integrity; etc.? No, we aren't. The only reasonable way to guarantee the
integrity of public keys stored in the heterogeneous systems of untrusted
DNS servers, or in any other distributed directory system, is to have them
stored in unforgeable signed certificates, as defined, for example, in
X.509.
Regards, -Rob-
Robert W. Shirey, The MITRE Corporation, Mail Stop Z202
7525 Colshire Drive, McLean, Virginia 22102-3481 USA
shirey(_at_)mitre(_dot_)org * tel 703.883.7210 * fax 703.883.1397