To:
Jakob Schlyter <jakob@crt.se>
Cc:
Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Derek Atkins <warlord@MIT.EDU>
Date:
31 Aug 2001 09:49:45 -0400
Delivery-Date:
Fri Aug 31 20:35:26 2001
In-Reply-To:
Jakob Schlyter's message of "Fri, 31 Aug 2001 00:09:57 +0200 (MEST)"
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
Jakob Schlyter <jakob@crt.se> writes:
> CERT is good for applications using ceritificates such as IPsec or
> TLS/SSL. for applications that does not need the extra "burden" of
> X.509 and only need the raw public key - CERT gives you nothing but a more
> complex data structure.
CERT records _DO_NOT_ imply X.509. A CERT record gives you the
ability to store key information in the DNS in parallel to the DNSSec
keying material. This way a DNSSec client WILL NOT get confused.
Example:
Assume you store your ssh key as a KEY record. Assume your ssh host
happens to have the same A record as your zone. Now what? It implies
that you have your SSH "KEY" and your Zone "KEY". How does the SSH
client know which "KEY" to use? Worse, what would happen if a DNSSec
client tries to use the wrong "KEY"?
If SSH key (signed or not) were stored in a CERT record, the clearly
the SSH client would not get confused, and the DNSSec client would not
get confused.
> one can use IPsec without certificates, i.e. raw public keys - we (as in
> we OpenBSD isakmpd together with Linux FreeS/WAN) tested this at the IPsec
> bakeoff in Espoo a couple of weeks ago and it works very well.
True, and quite honestly you can use the CERT record for this, too. I
mean, PGP isn't X.509 but there is a PGP Key binding for CERT RRs, no?
How can this be if CERT implies X.509? Obviously there is no such
requirement on the CERT record.
> jakob
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available