-----Original Message----- From: Jeffrey Goldberg [mailto:jeff...@goldmark.org] Sent: Montag, 5. Mai 2014 01:40 To: pjklau...@gmail.com Cc: cryptography@randombit.net Subject: Re: [cryptography] Request - PKI/CA History Lesson - the definition of trust
>On 2014-05-03, at 3:22 AM, <pjklau...@gmail.com> <pjklau...@gmail.com> >wrote: > >> Frankly, if we could "trust" in DNS, we would not need to "trust" in >> web-PKIX [2] - since the one is just the bandaid for the other. > >Have you forgotten that routing can be subverted? > >Just because you are talking to the right IP address doesn't mean >you are talking the right host. You're right yes ( I did forget :), but if a DNS can somehow guarantee a correct "hostname->IPAddress" mapping, then it can also guarantee a correct "hostname->public key" ( or self signed certificate) mapping. WebServers would present a self-signed certificate with the public key to HTTPS(TLS) clients, and the client side PKIX chain validation would need to be modified to validate the public key matches that which is in the DNS. This handling could be standardized through the use of some X509 "key usage" attribute value to indicate that it's trust is anchored in a DNS. So what I mean is that the concept of anchoring trust in Root-CA's ( the WebTrust monopoly ) can be removed if we could trust in a DNS. Having said all of that, I haven't got my head around Namecoin yet, and i cannot fathom yet what can be trusted about it at all....but i'm still trying. yours;P. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography