[14135] in cryptography@c2.net mail archive
Re: Is cryptography where security took the wrong branch?
daemon@ATHENA.MIT.EDU (bmanning@karoshi.com)
Wed Sep 10 09:44:50 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: bmanning@karoshi.com
To: lynn@garlic.com (Anne & Lynn Wheeler)
Date: Wed, 10 Sep 2003 03:39:09 -0700 (PDT)
Cc: cryptography@metzdowd.com
In-Reply-To: <4.2.2.20030909141405.00c7bc70@mail.earthlink.net> from "Anne & Lynn Wheeler" at Sep 09, 2003 02:24:00 PM
> >certificate requests coming into a CA/PKI can be digitally signed, the
> >CA/PKI can retrieve the authoritative authentication public key (for the
> >domain name ownership) from the domain name infrastructure and
> >authenticate the request .... eliminating all the identification gorp (and
> >also done w/o the use of certificates).
> >
> >misc. additional recent musings:
> >http://www.garlic.com/~lynn/2003l.html#60 Proposal for a new PKI model
> >(At least I hope it's new)
Not particularly new. This was/is the promise of DNSSEC.
early work, the TBDS and FMESHD projects. Current IETF
work, OE and IPSECKEY.
> The problem is that the domain name infrastructure has a database of domain
> name owners .... but no real good infrastructure ...
Not entirely. The reverse maps are a well defined infrastructure
space.
> Of course, the bottom line is if the domain name infrastructure has a
> real-time database of public keys for authentication purposes .... in part
> for use by the CA/PKI industry for authenticating SSL domain name
> certificate requests .... for use in authentication operations .... the use
> of the domain name infrastructure's authentication public keys don't have
> to just be restricted to authentication use by the CA/PKI industry. In
> fact, domain name infrastructure authentication public keys could be used
> to effectively for authentication operations that actually subsume the SSL
> domain name certificates authentication operations.
There are some other problems w/ using the DNS.
No revolkation process.
DNS caching
third-party trust (DNS admins != delegation holder)
>
> --
> Anne & Lynn Wheeler http://www.garlic.com/~lynn/
> Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
