To:
Keith Moore <moore@cs.utk.edu>
Cc:
Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 28 Mar 2002 10:07:22 -0500
In-Reply-To:
<200203280018.g2S0I9Z02561@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: Leveraging trust
At 7:18 PM -0500 3/27/02, Keith Moore wrote: >if we want the DNS root to hold together, we need to place as little >strain on it as possible. giving the root additional responsibility >doesn't strike me as a good way to do this. Does this mean that we shouldn't sign the root zone? (This may sound like a sarcastic question, but I don't mean it that way. I am trying to understand the limits of "as little ... as possible.") In one of the older DNSSEC documents, now RFC 2065, is the following passage: "A resolver should keep track of the number of successive secure zones traversed from a starting point to any secure zone it can reach. In general, the lower such a distance number is, the greater the confidence in the data." Between that and the comments on the root, would it be acceptable to rely on a set of SLDs (such as we\'ll-sign-your-data.com) as anchors of "trust?" Should we re-instrument resolvers of DNS to know just how many "leaps of faith" were made in evaluating the integrity of a piece of data? It seems to me that the concept of hierarchy gives us a scaleable and deterministic framework at the cost of creating a breaking point (the root). One of the other effects is that an open protocol based on hierarchy seems to engender "market-dominate" entities because it seems that there is ususally one best player in the game and folks want the best player as their service provider. Does this mean that a trust system based upon hierarchy is doomed? Is there an alternative framework that will allow trust to be leveraged, be scaleable, yet not suffer from choke points? By leveraged, I mean the ability to start at trusting some point and being able to travel to a lot of other points in a trustworthy way. By scaleable, I mean something that is easily understood and simple enough to function in a large population of independent instances. An example of a choke point is an entity that undermines the faith of the community to an extent that this single handedly tears the framework down. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Opinions expressed are property of my evil twin, not my employer.