To:
Steve Hanna <steve.hanna@sun.com>
Cc:
Ted.Hardie@nominum.com, keydist@cafax.se
From:
Ted Hardie <Ted.Hardie@nominum.com>
Date:
Fri, 4 Jan 2002 09:59:58 -0800
Content-Disposition:
inline
Delivery-Date:
Fri Jan 4 19:00:02 2002
In-Reply-To:
<3C35BD82.ED1C7BB9@sun.com>; from steve.hanna@sun.com on Fri, Jan 04, 2002 at 09:34:42AM -0500
Reply-To:
Ted.Hardie@nominum.com
Sender:
owner-keydist@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
Re: From whence we came...
On Fri, Jan 04, 2002 at 09:34:42AM -0500, Steve Hanna wrote: > What applications do you have in mind? In many application protocols > where there's no user (like NNTP or LDAP replication), there's an > administrator who might want to configure their own trust anchors. > But for DNS, I can see the value in having a single global trust > anchor to maintain a consistent world-wide directory. Are there > other examples where a global trust anchor generally makes sense? > > -Steve Steve, I'm personally interested in the kinds of things the FreeS/WAN folks are doing, and I see some application in things like secure MTA-MTA communication (particularly in the context of Internet Fax). The basic problem I see, though, is that there is no particular reason for an application to believe that a CA should be authoritative for a particular host. If there is a user at a browser being presented with a cert signed by Joe's Bait and Tackle CA, that user may realize that her or his broker is unlikely to be using JBT as a CA. A man in the middle attack would be thwarted, in other words, only because a user had a good sense of who was and wasn't a trustworthy CA. As others have noted, that may or may not be a good assumption about the users. If I have an application with no user, as you note, some administrator must configure a trusted set of CAs, which will eliminate secure communication with anyone not using those CAs. That either perpetuates a monopoly/oligopoly, reduces the usefulness of the system, or both. The DNS can give an application some reason to believe that a particular key/cert should be authoritative for a particular host or service. (Of course, if the DNS is secured so that applications are assured that the data they receive is the data placed into the zone by the zone's administrator, that reason to believe turns into a trust anchor). regards, Ted Hardie