To:
Keith Moore <moore@cs.utk.edu>
Cc:
keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Wed, 12 Jun 2002 23:19:55 +0200
In-Reply-To:
<200206122054.g5CKskn02591@astro.cs.utk.edu> (Keith Moore'smessage of "Wed, 12 Jun 2002 16:54:46 -0400")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090007 (Oort Gnus v0.07) Emacs/21.2.90(i686-pc-linux-gnu)
Subject:
Re: Global PKI on DNS?
Keith Moore <moore@cs.utk.edu> writes: >> Furthermore, the "upgrade" "problem" only affects those people that >> wants to use certificates in DNS, thus it is not a "problem" them (or >> anyone else). >> >> If you don't want to use CERT RRs you don't need to upgrade your DNS >> server! >> >> If you want to use CERT RRs you need to upgrade your DNS server! >> >> I find it truly amazing that those two statements could possibly be >> perceived as a design problem. It is what most people expect when >> they bring in a new feature. > > well, you could make a similar statement about a different protocol - > if you want to return certs you should support that protocol, > if you don't want to return certs you don't need to support it! In that case we are back at the problem that such a different protocol would be useless unless it is somehow linked to data in DNS. It seems we are stuck discussing protocol issues without agreeing on and understanding the overall concept. I'll try to explain my security overall concept of why I think this effort is needed: Identity based security (e.g., PKIX) need managed identities. Someone must have the authority to say that X is X and not Y. Today, DNS is the best managed identity space in the global Internet. Successful use of identity based security need to be linked to the system that manages identities. Some argue that identity based security is inheritently flawed bacause it is impossible to define and manage identities properly and scalable. I'd say we could use the namespace defined by DNS for this. The reason for using DNS to distribute certs isn't just some technical engineering idea that perhaps DNS could be tweaked into performing this role, the reason is that identity based security need to be connected to the system that manages identities. Now, whether certificates/keys are actually transfered on the wire inside the DNS protocol or not is mostly irrelevant, the point is that the function of finding someone's keying material given only their name must work. I don't see how you can achieve that without inserting data or a pointer in DNS [or some other identity management system].