[EURO-Discuss] Short bio for the election of the Euralo representatives to the ALAC

Patrick Vande Walle patrick at vande-walle.eu
Sun Aug 31 11:15:44 EDT 2008


Lutz Donnerhacke wrote:

> On Sat, Aug 30, 2008 at 03:25:16PM +0200, Patrick Vande Walle wrote:
>> I am not sure I understand your point. PKI require a "trusted third
>> party". This is necessary when both parties do not know each other,
>> which is the case in DNS name resolution. PK architectures are
>> hierarchical by design.
> 

> PKIs are not necessary hierarchical:
>  - OpenPGP uses a network of trust.
>  - The classical X.509 PKIs consists of a forest of very flat trees.

I have been using PGP ever since the Fidonet days. Over those 25 years,
it never really spread outside the geek/hobbyist/hacker world, because
it relies on both parties knowing each other before being able to accept
the signatures. This may work in small communities, but it does not
scale, for lack of a trusted third party.

Agree that X.509 PKIs are mostly flat *BUT* they are run by well
identifiable and reputable companies. I think this is my main point.
Security is not only a bunch of smart shell scripts around openssl or
dnssec-signzone. It is first and foremost how clearly identifiable you
are in the real world and what credit you get from others. Users both
large and small are less concerned with the company's technical ability
than by its toll-free number for complaints and the office address where
they can send their lawyer letters.

> If you retink your needs for HTTPS/SSL/SSH/... you will notice, that the
> common user base is not interested in makeing large scale eCommerce, but
> secure their communication. DNSSEC does the job and is extensible to email,
> SSH, VPN, ...

My needs as a normal user is that the banking web site I am accessing is
clearly identified and guaranteed to be genuine by a reputable third
party. My needs as a service provider is to be clearly identified and
not to generate warnings in the customer's browser because of an
unrecognized CA. If it happens, I will lose a customer.

I agree there could be some situations where encryption is desireable
but does not need to rely on expensive, unambiguously identifiable and
detailed certificates. Those needs are already pretty well covered with
PGP, community based PKIs, self-signed certificates, etc. Those who need
them know how to use these services and tools.

However, I still stand by my original position that domain name system
is designed to translate strings of characters into IP addresses. This
was the spirit of RFC882. It was designed to be a system where updates
were not frequent. Caching and secondary name servers can provide an
answer that may not be in sync with the primary. I do not really see how
the DNS could handle the reponsiveness needed for revokation of keys.

Best regards,

-- 
Patrick Vande Walle
Check my blog: http://patrick.vande-walle.eu



More information about the EURO-Discuss mailing list