> >We're already trusting chains of signficant length (i.e. DNS delegation)
> >with no decent verification at all.
>
> That's a good point. PKI on DNS might not be the most trustworthy system
> imaginable, but it would probably be an improvement over no PKI. Provided
> it doesn't break DNS...
> > I don't want to discount the importance of cert discovery, but I do
> > think it's a stretch to believe that you're going to be willing to trust
> > all of the certs that you discover in a chain of significant length, for
> > a significant set of purposes.
>
> So do you think that there's a n
Since I assume that most people on the lists already understand
this stuff, I'll followup to Peter privately...
> Somebody suggested out-of-band that I might be trolling with my last
> post, but actually I was just surrendering to my frustration, for which
> I apologize. I know what a wasteland
> Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here.
> The worms are out of the can, and I suggest anybody who wants to fight
> this battle order at least a 4-sizes-larger can
these particular worms are still in the can, and it's probably better
for everyone if they stay t
> Correction: A single global rooted PKI is a bad idea, a single global (in
> the namespace sense, not a single system) PKI database where we can look up
> certificates is a good idea.
assuming that you can keep the folks who control the TLDs from trying
to sell themselves as authoritative CAs f
> I was wondering if the best system to build a global PKI wouldn't be the
> DNS system already in place?
A global PKI is a Bad Idea. Nobody is sufficiently trustworthy to be the
root CA.
Keith
__
OpenSSL Project
