To:
Keith Moore <moore@cs.utk.edu>
Cc:
Steve Hanna <steve.hanna@sun.com>, Simon Josefsson <simon+keydist@josefsson.org>, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
14 Jan 2002 18:42:23 -0500
In-Reply-To:
<200201142317.g0ENHJi00683@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject:
Re: looking for draft volunteers
Keith Moore <moore@cs.utk.edu> writes: > > Unless, of course, we have a single CA that we can all trust. And > > quite honestly the only central authority that anyone in the internet > > has any trust in at the moment (albeit very little trust) is the DNS > > root. > > Quite honestly, there is no central authority in the Internet (or > in the Real World) which everyone will (or should) trust absolutely. > > (And if you make it so attractive to attack the DNS root then it becomes > even less trustworthy than it is now) > > But in the meatspace world this doesn't stop us from extending limited > amounts of trust to various kinds of credentials - including some issued > by central authorities of fairly large domains - but we vary the degree > of trust that we place in a credential according to the authority that > issued it, our perceived liklihood that it's forged, and the purpose for > which we're authenticating. That's fine. > If you want to store the DNS root key (or perhaps the keys of most > TLDs) on your client, and use DNSSEC keys to verify the public key > of a random email recipient with which you have no prior association, > that's probably better than having no key at all. But you'd be > naive to trust that key to safeguard information for which disclosure > could cost lives. Of course. Similarly, I wouldn't trust a key from soley DNS to identify my bank or banker. The point is that DNSSec _is_ better than nothing, and most work on the internet _is_ casual communication. For more important stuff there is usually some meat-space relationship a priori during which trust/key information can be exchanged. I can certainly see a bank sending out their key information in statements, for example, or having them printed in their brochures. > In other words, getting keys solely by DNSSEC and knowledge of the > DNS root might be okay for casual use, but it's not a mechanism in > which one should place arbitrary amounts of trust. At the same time, > using DNS to find keys and using external means to authenticate > them can provide keys which are more trustworthy (because you have > that external information) without your having to have previously > acquired and verified every key you might want to use. That's fine, too. My point is that I think it's ok if we only solve the casual use problem. > I think a single framework could accomodate the entire spectrum > of trustworthiness vs. pre-verification. The real trick is to > provide the user with enough information so that he doesn't place > an inappropriate amount of trust in whatever keys he's getting. I'm not 100% convinced that a single framework is either necessary or sufficient, but we can discuss that. > Keith -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available