[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: dnssec@cafax.se
Cc: lewis@tislabs.com
From: Edward Lewis <lewis@tislabs.com>
Date: Thu, 30 Aug 2001 13:42:24 -0400
Delivery-Date: Fri Aug 31 20:34:34 2001
Sender: owner-dnssec@cafax.se
Subject: CERTificates and public keys

At the DNSSEC status meeting (yeah, I know, I owe minutes) Itojun asked why
the SSH work being done use the public key record in DNS and not the CERT
RR.  Wes and I said we'd look in to it, and we did spend a short amount of
time talking about it.

We actually found the use of CERT to be a real problem.  The reason is that
there is no standing certification authority that could back the CERT
record.  That is a major stumbling block, for without this, the CERT record
is far worse than the KEY RR.  This is because the KEY RR is at least
backed by "standard" DNSSEC key chaining policy (we can debate whether a
resolver follows the "standard" - which is defined in RFC 3007 or 3008 -
but at least the resolver follows a DNS based infrastructure).

So, Wes and I would like to hear comments on why certificates would be an
improvement upon public keys when managing infrastructure keying material -
e.g., host keys for SSH, IPsec, etc.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.



Home | Date list | Subject list