--
Anne & Lynn Wheeler wrote:
> So one of the proposals (somewhat backed by the domain
> name certification authority industry) is that domain
> name owners place a public key on file when they
> register a domain name with the domain name
> infrastructure. They all future communication with the
> domain name infrastructure can be digitally signed ...
> and the domain name infrastructure verify the digital
> signature with the onfile public key.If the decision was to be made by five engineers sitting around a coffee table, they would agree on a solution in a few minutes, and implement it in a week, but a committee of seventeen people could not agree to adjourn a meeting held in a burning building. The problem is organizational. To get one decision centrally made and imposed on everyone requires a central body capable of making decisions and imposing them on everyone, and before it can get that authority, that central body usually has to raze Atlanta and burn the crops, or inflict genocidal famine on the Ukraine. The great strength and great weakness of the internet is that it is an anarchy. Anything that requires one decision made for all, such as the domain name system, got frozen when the internet became too large for decision making by consensus, and is now extremely difficult to change. So to make changes, they have to be made incrementally: You need a CA with the proposed policy and a deal with several registrars, and that CA needs to get on the Mozilla and IE list. Nice selling point. If you register with, say OpenSRS, you would automatically get an SSL cert. Unfortunately, the certification process for a CA to get on the browser list seems to be somewhat circular - to be a CA, you have to prove you are like existing CAs, which is most easily done if you *are* an existing CA, and have no intention of changing the way you work. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
