[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems



At 8:27 AM +0100 8/16/01, Chris Trobridge wrote:
>  > From: Stephen Kent [mailto:kent@bbn.com]
>>  At 6:11 PM +0100 8/15/01, Chris Trobridge wrote:
>>  >I think the problem is not specifically "global PKI" but
>>  "global trust
>>  >infrastructure".
>>
>>  I think "trust" is largely an irrelevant term here.  If one wants to
>>  identify hosts by DNS name, there is an established, strict hierarchy
>>  that we all rely on. It's authoritative. It's not a matter of trust.
>
>I think we may arguing over language here - I still see this as a
>hierarchical system of trust.

X.509 is not intrinsically hierarchic, although it is often portrayed 
as such. PGP makes a point out of being non-hierarchic.  DNSSEC is 
clearly hierarchic, although folks are working on ways to deviate 
from that. But, if one looks at the form of identifies that we are 
using in IPsec, most of them are drawn from a hierarchic name space, 
and that makes it more likely that a certification system will 
parallel the name space and thus become hierarchic, in whole are 
part. Consider DNS names, RFC822 names, IPaddresses, ...

>
>>  >It would be useful if IKE could use different trust models, including
>>  >delegation this to another protocol.
>>
>>  IKE defines very little about what one does with its varied set of
>>  potential PKI technologies, so I don't think this is a relevant
>>  criticism.
>
>I may be guilty of confusing what I know is being done with IKE vs what it
>is capable of.
>

yes, that may be the source of confusion.

Steve


References: