[cryptography] FW: Request - PKI/CA History Lesson - the definition of trust

pjklauser at gmail.com pjklauser at gmail.com
Mon May 5 14:12:41 EDT 2014


-----Original Message-----
From: Jeffrey Goldberg [mailto:jeffrey at goldmark.org] 
Sent: Montag, 5. Mai 2014 01:40
To: pjklauser at gmail.com
Cc: cryptography at randombit.net
Subject: Re: [cryptography] Request - PKI/CA History Lesson - the definition
of trust

>On 2014-05-03, at 3:22 AM, <pjklauser at gmail.com> <pjklauser at gmail.com>
>wrote:
>
>> Frankly, if we could "trust" in DNS, we would not need to "trust" in
>> web-PKIX [2] - since the one is just the bandaid for the other.
>
>Have you forgotten that routing can be subverted?
>
>Just because you are talking to the right IP address doesn't mean
>you are talking the right host.

You're right yes ( I did forget :), but if a DNS can somehow guarantee a
correct "hostname->IPAddress" mapping, then it can also guarantee a correct
"hostname->public key" ( or self signed certificate) mapping. WebServers
would present a self-signed certificate with the public key to HTTPS(TLS)
clients, and the client side PKIX chain validation would need to be modified
to validate the public key matches that which is in the DNS. This handling
could be standardized through the use of some X509 "key usage" attribute
value to indicate that it's trust is anchored in a DNS. So what I mean is
that the concept of anchoring trust in Root-CA's ( the WebTrust monopoly )
can be removed if we could trust in a DNS.

Having said all of that, I haven't got my head around Namecoin yet, and i
cannot fathom yet what can be trusted about it at all....but i'm still
trying. 

yours;P.


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com



More information about the cryptography mailing list