[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SDSI DNS namespace

One thing I didn't quite follow was the use of SDSI in the context
of DNS email addresses.  I gather that an email address like
rivest@theory.lcs.mit.edu would be interpreted, lacking any local
overrides, as ( ref: DNS!! edu mit lcs theory rivest ).  This could be
written as DNS!!'s edu's mit's lcs's theory's rivest.

Now as I understand it each element in this chain is a name for a
principal, where the principal can be thought of as either a key or a
wielder of a key.  So there would be a key associated with DNS!! which
everyone would know about (the !! meaning it is a global name).  It would
have a local name "edu" which is mapped to some principal (key), which is
associated with the .edu domain.  That key would have its own mapping
between the local name "mit" and the principal or key for MIT.  That
principal would then have a mapping between the name "lcs" and a key for
that name, which would have a mapping between the name "theory" and that
key.  Finally the "theory" principal would have a mapping between
"rivest" and Ron Rivest's key.

Is this right?  It seems like a lot of keys.  And it's not clear to me
in practice who would own or control each of them.  Also, are there
some kinds of policy statements at each link in the chain to describe
what checking was done for that name binding?

Is there another way of finding the key associated with
rivest@theory.lcs.mit.edu than tracing this certificate chain, and/or
asking each of the principals along the way to verify its link?  For
example, how would a VeriSign certificate binding a key for Ron
Rivest to rivest@theory.lcs.mit.edu be written?  Could it just be
( ref: VeriSign!! rivest@theory.lcs.mit.edu )?

Hal Finney