Re: Proposal for a new PKI model (At least I hope it's new)

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 09/06/03 

Date: Fri, 05 Sep 2003 22:31:54 GMT

"George Ou" <2038george_ou9127@2342netzero.com2897> writes:
> So let me understand this. Are you saying that we should simply
> shift the CA task to the root DNS Name servers themselves? If so,
> that isn't much different that what I am proposing, since I'm
> proposing a different trust structure anyways. One that is
> delagated. If that trust structure is the root DNS name servers
> themsleves, I have no problem with that. You would still be using
> PKC to do the authentication. The fact that it would also work
> offline is a feature, not a liability, although it would be as
> real-time as you want it to be.

i've been saying that for quite some time

1) the certification task has always been with the domain name
infrastructure since they are the authoritative agency for
domain name owndership. It has just been that the CA industry
has cloaded the fact with a lot of intermediate business
processes and crypto mumbo jumbo.

2) the fact that if you are contacting a web server ... 99.99999 times
out of 100 (then again, maybe it is every time), you first do a domain
name lookup before initiating a tcp connection ... hardly matters
that you could use a SSL domain name certificate for something else
other than initiating a ssl connection seems somewhat immaterial

3) the idea that you go to the expense to put together a humongous
certificate issuing infrastructure that effectively replicates a
business process already completely supported by the domain name
infrastructure seems to be a significant waste of money and resources
... on the off chance that somebody, someday, might theoritically use
that certificate in a scenario that doesn't involve doing a domain
name lookup. 

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ 
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm

Relevant Pages

  • Re: Proposal for a new PKI model (At least I hope its new)
    ... > CA task to the root DNS Name servers themselves? ... > different that what I am proposing, since I'm proposing a different trust ... fraudulent) certificate, the CA is the entity named in the ...
    (sci.crypt)
  • RE: SSL Reverse Proxy
    ... You can install the certificate on both servers. ... We already know the security implications of this approach. ...
    (Security-Basics)
  • RE: Server Certificates
    ... servers it woked fine until I promoted the one server to a domain controller. ... certificate infrastructure just to RDP. ... about Certs with RDP unless you are building custom .rdp files for the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Need help configuring Exchange Server for outgoing messages
    ... Are you sure they require SSL and not TLS? ... They are quite adament that they now require SSL. ... certificate for your machine, though. ... delivering email to the target servers is the default configuration. ...
    (microsoft.public.exchange.admin)
  • Re: DNS Attacks
    ... target domain to find their own name servers and send a query directly ... certificate, or somehow sneaked a false CA certificate into your ... already started caching key host IP addresses and DNS servers that I ...
    (Fedora)