Out of all this, there is somewhat a request from the CA/PKI industry that a public key be registered as part of domain name registration (no certificate, just a public key registration). Then SSL domain name certificate requests coming into a CA/PKI can be digitally signed, the CA/PKI can retrieve the authoritative authentication public key (for the domain name ownership) from the domain name infrastructure and authenticate the request .... eliminating all the identification gorp (and also done w/o the use of certificates).
misc. additional recent musings:
http://www.garlic.com/~lynn/2003l.html#60 Proposal for a new PKI model (At least I hope it's new)
The "Database gaps make ID fraud easier, GAO says" http://www.gcn.com/vol1_no1/daily-updates/23446-1.html
is somewhat analogous to the SSL domain name certificate problem ... a primary purpose for existing is to authenticate that the website you think you are talking to is the website you are talking to.
The problem is that the domain name infrastructure has a database of domain name owners .... but no real good infrastructure ... and the CA/PKI operations doing SSL domain name certifications are disjoint from the domain name infrastructure operations. As a result .... effectively the CA/PKI industry has to treat requests for SSL domain name certificates effectively as if it was a random person walking in from the street ... and then they have to try and match up such seemingly random requests ... with what little bit of information that they can extract from the domain name infrastructure (seeing if they can establish an identity in the real world based on the DNS database information ... and see if that identity then can be matched against the identity of the entity requesting the certificate).
Adding a public key to the domain name infrastructure database as part of the domain name registration process .... then eliminates the requirement of trying to establishing corresponding identities in the real world ... and it just reduces to a question of authentication.
Of course, the bottom line is if the domain name infrastructure has a real-time database of public keys for authentication purposes .... in part for use by the CA/PKI industry for authenticating SSL domain name certificate requests .... for use in authentication operations .... the use of the domain name infrastructure's authentication public keys don't have to just be restricted to authentication use by the CA/PKI industry. In fact, domain name infrastructure authentication public keys could be used to effectively for authentication operations that actually subsume the SSL domain name certificates authentication operations.
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]