[DotGNU][PG-Proposal] dotGNU authentication and authorization subsystem.

[Richard Kay]

Matthew Copeland (address@hidden) wrote:

>Distributed and scalable control mechanism for servers such that
>any individual, company, or government can create an
>authentication server and the user can decide which to
>use at run time.  (This means that no single authority can
>also manage primary servers like you see with the
>root nameservers under DNS.)
 
I see the minimalist centralisation that exists within DNS as 
probably a neccessary evil. I don't understand how you are going to
get a simple, fast lookup system for a consistent and meaningful 
global namespace without some form of global domain address delegation.
I am aware of other alternative proposals for naming network 
objects e.g. within gnutella and freenet, which avoid heirarchical 
naming, but I don't consider these schemes likely to be either simple 
or fast or meaningful. Also there is nothing to prevent other 
groups implementing other DNS's with more or different top level 
domains, other than people choosing not to use such alternatives. 
A completely alternative DNS system could however be at the heart 
of DotGNU, which doesn't rely on any of the current DNS nameservers. 
But this alternative would end up introducing another replicated 
directory service pointing to the many DotGNU TLD servers which is 
considered more reliable and authoritative than any others.

The only real centralisation here is about how you get agreement over
maintaining the top level part of a replicated global namespace 
directory which contains the canonical addresses of TLD name servers. 
This degree of centralisation doesn't impose anything much on
how parts of the namespace below it are used, so long as
there is a system of delegated authority for different parts of
the namespace. This seems more meaningful, simple and fast to me
than alternatives involving generation of long enough random object
identifiers to reduce the risk of identifier collisions.

I see this as an area where the wrong decision at this stage
could have significant consequences, possibly leading to blind
development alleys which could take 12-24 months to back out of. 
The naming system is going to be so much built into other areas of
DotGNU that what we dislike about DNS might be a price worth
paying for something which we know to work well enough. I don't 
think we should let the ideal to be the enemy of the good here.

Richard Kay
address@hidden
http://copsewood.net/