To:
Edward Lewis <lewis@tislabs.com>
cc:
keydist@cafax.se
From:
Keith Moore <moore@cs.utk.edu>
Date:
Tue, 08 Jan 2002 18:26:39 -0500
In-reply-to:
Your message of "Tue, 08 Jan 2002 17:41:56 EST." <v0313032ab8611ba86b66@[208.58.218.52]>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
One thing of which I'm certain is that any key (material) distribution system which assumes a single model for trust is doomed to near-irrelevance. Trust is fundamentally a human concept, and humans have a variety of models for trust. I carry several kinds of credentials with me in my wallet. Some of these make assertions about my identity - effectively associating a name, physical address, and nationality to someone matching my physical characteristics. Others make assertions about my ability to honor a loan agreement, to operate a motor vehicle, to pilot an aircraft, etc. Different transactions require different combinations of these credentials. My passport will not substitute for my university identification card, nor vice versa, even though both are (to some degree) assertions about of my identity. Fraudulent use of a credit card has a different kind of risk than fraudulent use of a passport, and there are different mechanisms to minimize the negative effects of those risks. Trust models in cyberspace will need to be similarly varied, and any system for key material distribution will need to accomodate many different trust models. If it is to be successful it cannot impose any trust models on its users. The best it can do is to provide a variety of methods by which a client might verify a principal's credentials, and let the client decide which one he/she/it trust for his/her/its particular application. And due to several limitations, I think it's going to be very difficult to cram all of this into DNS. Keith