To:
"Greg Hudson" <ghudson@MIT.EDU>, "Simon Josefsson" <simon+keydist@josefsson.org>
Cc:
"Steve Hanna" <steve.hanna@sun.com>, <keydist@cafax.se>
From:
"James Seng/Personal" <jseng@pobox.org.sg>
Date:
Fri, 4 Jan 2002 14:59:00 +0800
Delivery-Date:
Fri Jan 4 07:59:33 2002
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
> For some applications (anything using DNS-based identifiers: email, ssh, > etc.), if two departments don't trust their common DNS > ancestor, there is a problem, since that ancestor is implicitly authorized > to administer both DNS spaces. Right now the information provided by that > ancestor isn't (generally) provided securely, but that doesn't mean people > don't trust it. I may trust DNS to give me the right network resource information. But I may not want to trust DNS to give me the identity of my banker. I may want to trust my trust authority for that purpose. PKIX allows me to do so (regardless of its other problems). So if we really want to stuff DNS more with keys or certs, then I rather it be certs. Size is problem can be solve with proper profiling of cert format and crypto algorithms. > It is very easy to argue that PKI, in its current incarnation, is not > practical beyond use by web sites belonging to companies with large > budgets. "Every certificate generates $500 in revenue to Verisign" is not > what some of us call practical. PKI may some problems still needs to be resolves, many resolves in revokation, deployment, practices but to say PKI = Verisign is gross. You have ignored all the other PKI applications in non-Internet areas. > It is also a little bothersome to have one authority give out DNS > information and another authority give out certificates saying that I hold > an identifier at a given domain. What happens if they disagree? This is where the user choose which authority to trust. Depending on the user selection, the results is different. > * Everyone trusts and knows the public key of some number of well-known > PKIX roots. (Just like almost every web browser trusts Verisign and > knows its public key, on account of having a pre-configured > self-signed root certificate.) Nope, not everyone trust a single PKI root. Some group of people trust their one root. Other group trust their own root. There should be multiples PKI root, each one for different purpose with different policy. > If the requirement for preconfigured root CAs bothers you, then you > shouldn't like the DNS solution either, since it requires every recursive > resolver to know the public key of the DNS root. Pre-configured root CA for one purpose (in the case for DNS queries) is okay. It has limited applications and trust. Pre-configured root CA for all purpose bother me a lot. It implies users to trust a default root CA without knowing they are trusting it in the first place! Extending a limited trust (trust of DNS) to generic trust is what bothers me. -James Seng