KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Edward Lewis <lewis@tislabs.com>
cc: Keith Moore <moore@cs.utk.edu>, keydist@cafax.se
From: Keith Moore <moore@cs.utk.edu>
Date: Thu, 28 Mar 2002 11:30:50 -0500
In-reply-to: (Your message of "Thu, 28 Mar 2002 10:07:22 EST.") <v0313030fb8c8debf46d8@[199.171.39.21]>
Sender: owner-keydist@cafax.se
Subject: Re: Leveraging trust

> >if we want the DNS root to hold together, we need to place as little
> >strain on it as possible.  giving the root additional responsibility
> >doesn't strike me as a good way to do this.
> 
> Does this mean that we shouldn't sign the root zone?  

perhaps.
 
> Between that and the comments on the root, would it be acceptable to rely
> on a set of SLDs (such as we\'ll-sign-your-data.com) as anchors of "trust?"

it must be left to each individual user, to determine what he/she/it trusts.

> Should we re-instrument resolvers of DNS to know just how many "leaps of
> faith" were made in evaluating the integrity of a piece of data?

it's difficult to delegate this to a resolver. the confidence in a
signature chain cannot meaningfully be reduced to a single number;
it varies nonlinearly according to the purpose for which a signature 
is being used.

> It seems to me that the concept of hierarchy gives us a scaleable and
> deterministic framework at the cost of creating a breaking point (the
> root).  

or in other words, just as there are scaling limits to bilateral
agreements, there are also scaling limits to a hierarchy - for 
different reasons.

> Does this mean that a trust system based upon hierarchy is doomed?  

no.  clearly it can be made to work on a small scale - and on a 
larger scale within organizations where DNS delegation can be made to
closely match delegation of authority.  (e.g. a military organization)

> Is there an alternative framework that will allow trust to be leveraged, be
> scaleable, yet not suffer from choke points?  

there are probably ways to make a hierarchy scale better. for instance,
by requiring that there be multiple signatures on higher-level zones
that are maintained by different parties that are unrelated to one 
another, and by requiring that changes to higher-level zones be made 
only according to a well-defined, publically-documented, and highly 
visible process.  but even these mechansisms have scaling limitations.
for instance, if you require multiple parties to sign the root, then
some small number of those parties can veto any changes to the root.

Keith

References:
- Re: Leveraging trust
  - From: Edward Lewis <lewis@tislabs.com>

Prev by Date: Re: Let's assume DNS is involved
Next by Date: Re: Let's assume DNS is involved
Prev by thread: Re: Leveraging trust
Next by thread: Re: Leveraging trust
Index(es):
- Date
- Thread

Home | Date list | Subject list