To:
Edward Lewis <lewis@tislabs.com>
Cc:
<dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Fri, 31 Aug 2001 00:09:57 +0200 (MEST)
Delivery-Date:
Fri Aug 31 20:34:49 2001
In-Reply-To:
<v03130302b7b42a28a58d@[199.171.39.33]>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
On Thu, 30 Aug 2001, Edward Lewis wrote: > At the DNSSEC status meeting (yeah, I know, I owe minutes) Itojun asked why > the SSH work being done use the public key record in DNS and not the CERT > RR. Wes and I said we'd look in to it, and we did spend a short amount of > time talking about it. also, ssh doesn't currently support X.509 certificates for authentication and adding support for that is non-trivial (compared to adding support for KEY). > So, Wes and I would like to hear comments on why certificates would be > an improvement upon public keys when managing infrastructure keying > material - e.g., host keys for SSH, IPsec, etc. CERT is good for applications using ceritificates such as IPsec or TLS/SSL. for applications that does not need the extra "burden" of X.509 and only need the raw public key - CERT gives you nothing but a more complex data structure. one can use IPsec without certificates, i.e. raw public keys - we (as in we OpenBSD isakmpd together with Linux FreeS/WAN) tested this at the IPsec bakeoff in Espoo a couple of weeks ago and it works very well. jakob