KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Derek Atkins <warlord@MIT.EDU>
Cc: keydist@cafax.se
From: Rodney Thayer <rodney@tillerman.to>
Date: Thu, 13 Dec 2001 11:20:00 -0700
Delivery-Date: Thu Dec 13 19:23:12 2001
In-Reply-To: <sjmu1uv5a7k.fsf@benjamin.ihtfp.org>
Sender: owner-keydist@cafax.se
Subject: Re: hello!

Hmmm.  It seems that we want to quantify...

   -- the usage of a key in the directory
   -- is a multi-purpose key something we want to support
   -- is the solution to be "format agnostic" (e.g. it's a blob, you
      parse it yourself)
   -- what "usage types" are appropriate for DNS

If we are to begin at the beginning, we need to enumerate requirements
for keys.  One I want to have is to be able to store ssh keys,
at least for use in accessing infrastructure devices.

In other words, I can see the point that storing the SSH keys for my
desktop linux system might not be an appropriate use of DNS, but
I think that storing the SSH keys for my router is appropriate.

As I understand the objections in the DNSEXT WG, they were sort of
saying that "application keys are not something the DNS should be used to
store".  I would like to interpret that as "non-infrastructure-related
application keys".  Or, perhaps, "not keys for which there are other
directory mechanisms".  In other words, I dont' think anyone is asking
to store something like a PKIX CRL in DNS.

At 11:57 AM 12/13/2001 -0500, Derek Atkins wrote:
>Hi, Rodney,
>
>Indeed, we're trying to come up with requirements for various
>applications.
>
>My strawman proposal is that:
>  - a DNS key-storage record will store keys
>  - applications can design their own policy/configuration-storage records
>    to store application policy/configuration information
>
>But there are still a lot of open questions.  For example, can we
>use a single, subtyped "generic application key/certificate storage
>RR type" and use LHS names to differentiate the key-usage types.
>Alternatively, we can split various key formats into different
>RR types (raw keys, x.509 certs, pgp keys, spki certs, etc)...
>Or we can even do a combination of them all.
>
>But stepping back from all this, can we come up with a set of
>requirements for key storage (in general)?
>
>-derek
>
>Rodney Thayer <rodney@tillerman.to> writes:
>
> > Hello there.  I'm Rodney Thayer, I am interested in participating
> > in the discussion of storing SSH keys in DNS.  I am a security
> > architect/implementor/crypto plumber -- I'm currently working on
> > Secure DNS things but I've also recently worked on public key
> > applications, such as SSH (and legacy things like PKIX certificates)
> >
> > So... I believe the topic here is what are the requirements for
> > storing SSH keys in DNS.  Is that correct?
> > (I'll take silence as a yes and simply keep babbling into the
> > microphone here...)
> >
> > P.s. I'm also a co-author on the SSH key format draft.
> >
>
>--
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

Follow-Ups:
- Re: hello!
  - From: Edward Lewis <lewis@tislabs.com>

References:
- hello!
  - From: Rodney Thayer <rodney@tillerman.to>
- Re: hello!
  - From: Derek Atkins <warlord@MIT.EDU>

Prev by Date: Re: hello!
Next by Date: Re: hello!
Prev by thread: requirements etc. for keys/etc.
Next by thread: Re: hello!
Index(es):
- Date
- Thread

Home | Date list | Subject list