Is cryptography where security took the wrong branch?
Anne & Lynn Wheeler
lynn at garlic.com
Tue Sep 9 16:24:00 EDT 2003
At 05:19 PM 9/7/2003 -0600, Anne & Lynn Wheeler wrote:
>Out of all this, there is somewhat a request from the CA/PKI industry that
>a public key be registered as part of domain name registration (no
>certificate, just a public key registration). Then SSL domain name
>certificate requests coming into a CA/PKI can be digitally signed, the
>CA/PKI can retrieve the authoritative authentication public key (for the
>domain name ownership) from the domain name infrastructure and
>authenticate the request .... eliminating all the identification gorp (and
>also done w/o the use of certificates).
>
>misc. additional recent musings:
>http://www.garlic.com/~lynn/2003l.html#60 Proposal for a new PKI model
>(At least I hope it's new)
The "Database gaps make ID fraud easier, GAO says"
http://www.gcn.com/vol1_no1/daily-updates/23446-1.html
is somewhat analogous to the SSL domain name certificate problem ... a
primary purpose for existing is to authenticate that the website you think
you are talking to is the website you are talking to.
The problem is that the domain name infrastructure has a database of domain
name owners .... but no real good infrastructure ... and the CA/PKI
operations doing SSL domain name certifications are disjoint from the
domain name infrastructure operations. As a result .... effectively the
CA/PKI industry has to treat requests for SSL domain name certificates
effectively as if it was a random person walking in from the street ... and
then they have to try and match up such seemingly random requests ... with
what little bit of information that they can extract from the domain name
infrastructure (seeing if they can establish an identity in the real world
based on the DNS database information ... and see if that identity then can
be matched against the identity of the entity requesting the certificate).
Adding a public key to the domain name infrastructure database as part of
the domain name registration process .... then eliminates the requirement
of trying to establishing corresponding identities in the real world ...
and it just reduces to a question of authentication.
Of course, the bottom line is if the domain name infrastructure has a
real-time database of public keys for authentication purposes .... in part
for use by the CA/PKI industry for authenticating SSL domain name
certificate requests .... for use in authentication operations .... the use
of the domain name infrastructure's authentication public keys don't have
to just be restricted to authentication use by the CA/PKI industry. In
fact, domain name infrastructure authentication public keys could be used
to effectively for authentication operations that actually subsume the SSL
domain name certificates authentication operations.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list