Is cryptography where security took the wrong branch?

bmanning at karoshi.com bmanning at karoshi.com
Wed Sep 10 06:39:09 EDT 2003 

> >certificate requests coming into a CA/PKI can be digitally signed, the 
> >CA/PKI can retrieve the authoritative authentication public key (for the 
> >domain name ownership) from the domain name infrastructure and 
> >authenticate the request .... eliminating all the identification gorp (and 
> >also done w/o the use of certificates).
> >
> >misc. additional recent musings:
> >http://www.garlic.com/~lynn/2003l.html#60  Proposal for a new PKI model 
> >(At least I hope it's new)

	Not particularly new. This was/is the promise of DNSSEC.
	early work, the TBDS and FMESHD projects.  Current IETF
	work, OE and IPSECKEY.

> The problem is that the domain name infrastructure has a database of domain 
> name owners .... but no real good infrastructure ... 

	Not entirely.  The reverse maps are a well defined infrastructure
	space.

> Of course, the bottom line is if the domain name infrastructure has a 
> real-time database of public keys for authentication purposes .... in part 
> for use by the CA/PKI industry for authenticating SSL domain name 
> certificate requests .... for use in authentication operations .... the use 
> of the domain name infrastructure's authentication public keys don't have 
> to just be restricted to authentication use by the CA/PKI industry. In 
> fact, domain name infrastructure authentication public keys could be used 
> to effectively for authentication operations that actually subsume the SSL 
> domain name certificates authentication operations.

	There are some other problems w/ using the DNS.
		No revolkation process.
		DNS caching
		third-party trust (DNS admins != delegation holder)

> 
> --
> Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
> Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
>   
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list