Re: From whence we came...

["James Seng/Personal" <jseng@pobox.org.sg>]

> For some applications (anything using DNS-based identifiers: email,
ssh,
> etc.), if two departments don't trust their common DNS
> ancestor, there is a problem, since that ancestor is implicitly
authorized
> to administer both DNS spaces.  Right now the information provided by
that
> ancestor isn't (generally) provided securely, but that doesn't mean
people
> don't trust it.

I may trust DNS to give me the right network resource information. But I
may not want to trust DNS to give me the identity of my banker. I may
want to trust my trust authority for that purpose. PKIX allows me to do
so (regardless of its other problems).

So if we really want to stuff DNS more with keys or certs, then I rather
it be certs. Size is problem can be solve with proper profiling of cert
format and crypto algorithms.

> It is very easy to argue that PKI, in its current incarnation, is not
> practical beyond use by web sites belonging to companies with large
> budgets.  "Every certificate generates $500 in revenue to Verisign" is
not
> what some of us call practical.

PKI may some problems still needs to be resolves, many resolves in
revokation, deployment, practices but to say PKI = Verisign is gross.
You have ignored all the other PKI applications in non-Internet areas.

> It is also a little bothersome to have one authority give out DNS
> information and another authority give out certificates saying that I
hold
> an identifier at a given domain.  What happens if they disagree?

This is where the user choose which authority to trust. Depending on the
user selection, the results is different.

>   * Everyone trusts and knows the public key of some number of
well-known
>     PKIX roots.  (Just like almost every web browser trusts Verisign
and
>     knows its public key, on account of having a pre-configured
>     self-signed root certificate.)

Nope, not everyone trust a single PKI root. Some group of people trust
their one root. Other group trust their own root. There should be
multiples PKI root, each one for different purpose with different
policy.

> If the requirement for preconfigured root CAs bothers you, then you
> shouldn't like the DNS solution either, since it requires every
recursive
> resolver to know the public key of the DNS root.

Pre-configured root CA for one purpose (in the case for DNS queries) is
okay. It has limited applications and trust.

Pre-configured root CA for all purpose bother me a lot. It implies users
to trust a default root CA without knowing they are trusting it in the
first place!

Extending a limited trust (trust of DNS) to generic trust is what
bothers me.

-James Seng