Is cryptography where security took the wrong branch?
bmanning at karoshi.com
bmanning at karoshi.com
Wed Sep 10 06:39:09 EDT 2003
> >certificate requests coming into a CA/PKI can be digitally signed, the
> >CA/PKI can retrieve the authoritative authentication public key (for the
> >domain name ownership) from the domain name infrastructure and
> >authenticate the request .... eliminating all the identification gorp (and
> >also done w/o the use of certificates).
> >
> >misc. additional recent musings:
> >http://www.garlic.com/~lynn/2003l.html#60 Proposal for a new PKI model
> >(At least I hope it's new)
Not particularly new. This was/is the promise of DNSSEC.
early work, the TBDS and FMESHD projects. Current IETF
work, OE and IPSECKEY.
> The problem is that the domain name infrastructure has a database of domain
> name owners .... but no real good infrastructure ...
Not entirely. The reverse maps are a well defined infrastructure
space.
> Of course, the bottom line is if the domain name infrastructure has a
> real-time database of public keys for authentication purposes .... in part
> for use by the CA/PKI industry for authenticating SSL domain name
> certificate requests .... for use in authentication operations .... the use
> of the domain name infrastructure's authentication public keys don't have
> to just be restricted to authentication use by the CA/PKI industry. In
> fact, domain name infrastructure authentication public keys could be used
> to effectively for authentication operations that actually subsume the SSL
> domain name certificates authentication operations.
There are some other problems w/ using the DNS.
No revolkation process.
DNS caching
third-party trust (DNS admins != delegation holder)
>
> --
> Anne & Lynn Wheeler http://www.garlic.com/~lynn/
> Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list