To:
Edward Lewis <lewis@tislabs.com>
Cc:
Simon Josefsson <jas@extundo.com>, dnssec@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
31 Aug 2001 09:57:44 -0400
Delivery-Date:
Fri Aug 31 20:35:27 2001
In-Reply-To:
Edward Lewis's message of "Thu, 30 Aug 2001 16:20:19 -0400"
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
There is absolutely no assumption at all in RFC 2538 that a certificate is signed. If there is, please point out the section so I can go re-read it again. However, having just read the RFC yet again, I can see no mention of just a requirement or assumption anywhere in the draft (well, except when talking specifically about X.509/PKIX keys). This means that when you "enter a key into a certificate" you don't have to worry about who signs it, because quite frankly NOBODY has to "sign" it. The main reason, IMHO, to use a CERT record over a KEY record is that KEY records imply DNSSec keys whereas CERT records imply application keys. -derek Edward Lewis <lewis@tislabs.com> writes: > Assuming a certificate is not self-signed, the signature attached to the > certificate is generated by another entity. The idea being that I, as a > user of a certificate, can start with the public key of a CA (whether as a > key or an assumed certificate), and chain through a set of certificates to > ascertain the goodness of the certificate in question. Once that is > accomplished I can "trust" that the name in the certificate (and ancillary > data) is bound to any data with a signature that is verified by the > certificate's public key. > > The problem that Wes and I discussed involved entering an SSH host key into > a certificate. Who signs the certificate? Would it be self-signed? Would > it be signed by the administrator of the machine? Would it be signed by a > site-wide adminitistrator? Ultimately, how would I, as an arbitrary user > come to trust the SSH key certificate - in a way that is less cumbersome > than configuring the public key in my client? > > If we use the KEY RR, and I already have a public key for the root zone, > then I could just follow the DNS hierarchy (assuming a completed tree). > For a fragmented tree, I just need the enclosing island of trust's key. > > I am aware of the benefits of a CERT (more fields, hence more information) > over a KEY, but that assumes there is a supporting infrastructure. KEY > already has one - the DNS itself, but what is behind the CERT? > > > > >* No requirement on DNSSEC to protect the keys. > > > > DNSSEC isn't happening now, while applications using public keys > > (SSH, IPSec, S/MIME, PGP..) is happening. > > > > Without CA's, there applications aren't better off than DNS. > > >* DNSSEC only guarantee origin authentication. > > > > This is probably too weak for some applications. I want to trust > > that a public key belong to a certain host or person. Only being > > able to trust the origin of the information is weaker. Putting a > > SSH KEY RR in DNS doesn't authenticate that key as belonging to the > > host (which is what you want) but rather that you trust that the > > public key came from a certain origin. Maybe this is subtle and can > > be ignored for SSH or IPSEC (where you could assume that if it came > > from the domain where the machine lives in you trust it as belonging > > to the host). But I wouldn't trust a key for S/MIME or PGP purposes > > based only on the fact that I know where the key came from (how do I > > know they checked the identity of the user before signing his public > > key?). > > If SRV naming is used, then the key can be tied to a host via the domain > name, which is covered by the SIG RR. For identity of folks, there is a > email-address convention defined (replace the @ with .). > > > > >* Key revocation. > > > > Keys used by several applications have different requirements than > > DNSSEC KEY's, several applications need revocation functionality. > > This is true, KEY can't do that but CERT can. > > >* Reuse of trust infrastructure in applications. > > > > Today applications usually trust some predefined set of CAs. > > Changing the trust infrastructure in the application to support the > > DNSSEC way is more difficult than retrieving keys signed by the CAs > > using DNS. (And I don't see any advantages of doing the change, > > only some disadvantages, like giving up revocation.) > > What are the predefined set of CA's? That's what isn't obvious. > > What applications are you referring to? Netscape is shipped with > certificates signed by Verisign. I don't know of an SSH that uses > certificates. > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis NAI Labs > Phone: +1 443-259-2352 Email: lewis@tislabs.com > > You fly too often when ... the airport taxi is on speed-dial. > > Opinions expressed are property of my evil twin, not my employer. > > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available