> >certificate requests coming into a CA/PKI can be digitally signed, the 
> >CA/PKI can retrieve the authoritative authentication public key (for the 
> >domain name ownership) from the domain name infrastructure and 
> >authenticate the request .... eliminating all the identification gorp (and 
> >also done w/o the use of certificates).
> >
> >misc. additional recent musings:
> >http://www.garlic.com/~lynn/2003l.html#60  Proposal for a new PKI model 
> >(At least I hope it's new)

        Not particularly new. This was/is the promise of DNSSEC.
        early work, the TBDS and FMESHD projects.  Current IETF
        work, OE and IPSECKEY.

> The problem is that the domain name infrastructure has a database of domain 
> name owners .... but no real good infrastructure ... 

        Not entirely.  The reverse maps are a well defined infrastructure

> Of course, the bottom line is if the domain name infrastructure has a 
> real-time database of public keys for authentication purposes .... in part 
> for use by the CA/PKI industry for authenticating SSL domain name 
> certificate requests .... for use in authentication operations .... the use 
> of the domain name infrastructure's authentication public keys don't have 
> to just be restricted to authentication use by the CA/PKI industry. In 
> fact, domain name infrastructure authentication public keys could be used 
> to effectively for authentication operations that actually subsume the SSL 
> domain name certificates authentication operations.

        There are some other problems w/ using the DNS.
                No revolkation process.
                DNS caching
                third-party trust (DNS admins != delegation holder)

> --
> Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
> Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to