To:
"James Seng/Personal" <jseng@pobox.org.sg>
Cc:
"Greg Hudson" <ghudson@MIT.EDU>, "Steve Hanna" <steve.hanna@sun.com>, <keydist@cafax.se>
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Fri, 04 Jan 2002 19:44:26 +0100
Delivery-Date:
Fri Jan 4 19:46:05 2002
In-Reply-To:
<014101c194ed$4d075250$dd00a8c0@jamessonyvaio> ("JamesSeng/Personal"'s message of "Fri, 4 Jan 2002 14:59:00 +0800")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090005 (Oort Gnus v0.05) Emacs/21.1.50(i686-pc-linux-gnu)
Subject:
Re: From whence we came...
"James Seng/Personal" <jseng@pobox.org.sg> writes: >> For some applications (anything using DNS-based identifiers: email, > ssh, >> etc.), if two departments don't trust their common DNS >> ancestor, there is a problem, since that ancestor is implicitly > authorized >> to administer both DNS spaces. Right now the information provided by > that >> ancestor isn't (generally) provided securely, but that doesn't mean > people >> don't trust it. > > I may trust DNS to give me the right network resource information. Do you mean DNS with DNSSEC? I wouldn't trust DNS to give me correct information without DNSSEC. > But I may not want to trust DNS to give me the identity of my > banker. I may want to trust my trust authority for that > purpose. PKIX allows me to do so (regardless of its other problems). Yes, yes. I am not proposing you to trust that the public key for www.bank.org belongs to your bank (this is the purpose of a PKIX-like PKI), but I am proposing that with DNSSEC you can trust that the public key for the host www.bank.org is what your bank (and noone else) wants to use for that host. Data authentication VS Data ORIGIN authentication. >> It is also a little bothersome to have one authority give out DNS >> information and another authority give out certificates saying that I > hold >> an identifier at a given domain. What happens if they disagree? > > This is where the user choose which authority to trust. Depending on the > user selection, the results is different. > >> * Everyone trusts and knows the public key of some number of > well-known >> PKIX roots. (Just like almost every web browser trusts Verisign > and >> knows its public key, on account of having a pre-configured >> self-signed root certificate.) > > Nope, not everyone trust a single PKI root. Some group of people trust > their one root. Other group trust their own root. There should be > multiples PKI root, each one for different purpose with different > policy. I agree, if you need more trust than DNSSEC is designed to provide (data origin authentication) you need PKIX or something similar. (Please note that Steve Hanna and not I said that, the attribution in your reply was wrong.) >> If the requirement for preconfigured root CAs bothers you, then you >> shouldn't like the DNS solution either, since it requires every > recursive >> resolver to know the public key of the DNS root. > > Pre-configured root CA for one purpose (in the case for DNS queries) is > okay. It has limited applications and trust. > > Pre-configured root CA for all purpose bother me a lot. It implies users > to trust a default root CA without knowing they are trusting it in the > first place! > > Extending a limited trust (trust of DNS) to generic trust is what > bothers me. Me too. It cannot work so I don't think it will happen. The trust you put in DNSSEC should be limited to trusting that some piece of data came from a certain origin. You cant assert anything about the trust about the piece of data using DNSSEC.