DataPacRat,
On Tue, Oct 22, 2013 at 5:24 PM, Stephen Kent <[email protected]> wrote:
DataPacRat,
...
The key item I am gathering from your response is 'trust is not
transitive'. If that's the case, then wouldn't that also apply to
chains of 'official' CAs, as well? If all that is so, then is it
possible that ad-hoc / mesh-network / web-of-trust /
(insert-buzzword-here) CAs would fare no worse by that metric than the
current hierarchical CA system?
That is a fair comment for some PKIs, but not all.
If a PKI represents an authoritative set of CAs, vs. a "trusted"
set of CAs, then this issue does not arise. So for example in the
DANE context or the RPKI context, we're not dealing with transitive trust.
I'm not familiar with many of the details of DANE and RPKI. Do either
of them provide any protection against a subpoena attack?
I'll let other folks comment on DANE, right Warren?
As for the RPKI, first note that it is a PKI that provides
authenticated info about who holds which blocks of IP address
space, and thus encryption is not an issue. I recently published
an I-D (draft-kent-sidr-suspenders-00) that tries to address concerns
that have been raised by some folks about possible law enforcement
influence on the CAs in the hierarchy. The focus here is at influence
that might be effected across national boundaries.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
