Re: From whence we came...

[Ted Hardie <Ted.Hardie@nominum.com>]

On Fri, Jan 04, 2002 at 09:34:42AM -0500, Steve Hanna wrote:
> What applications do you have in mind? In many application protocols
> where there's no user (like NNTP or LDAP replication), there's an
> administrator who might want to configure their own trust anchors.
> But for DNS, I can see the value in having a single global trust
> anchor to maintain a consistent world-wide directory. Are there
> other examples where a global trust anchor generally makes sense?
> 
> -Steve

Steve,

I'm personally interested in the kinds of things the FreeS/WAN folks
are doing, and I see some application in things like secure MTA-MTA
communication (particularly in the context of Internet Fax).

The basic problem I see, though, is that there is no particular reason
for an application to believe that a CA should be authoritative for a
particular host.  If there is a user at a browser being presented with
a cert signed by Joe's Bait and Tackle CA, that user may realize that
her or his broker is unlikely to be using JBT as a CA.  A man in the
middle attack would be thwarted, in other words, only because a user
had a good sense of who was and wasn't a trustworthy CA.  As others
have noted, that may or may not be a good assumption about the users.

If I have an application with no user, as you note, some administrator
must configure a trusted set of CAs, which will eliminate secure
communication with anyone not using those CAs.  That either
perpetuates a monopoly/oligopoly, reduces the usefulness of the
system, or both.  The DNS can give an application some reason to
believe that a particular key/cert should be authoritative for a
particular host or service.  (Of course, if the DNS is secured so that
applications are assured that the data they receive is the data placed
into the zone by the zone's administrator, that reason to believe
turns into a trust anchor).

				regards,
					Ted Hardie