To:
Derek Atkins <warlord@MIT.EDU>
Cc:
keydist@cafax.se
From:
Rodney Thayer <rodney@tillerman.to>
Date:
Thu, 13 Dec 2001 11:20:00 -0700
Delivery-Date:
Thu Dec 13 19:23:12 2001
In-Reply-To:
<sjmu1uv5a7k.fsf@benjamin.ihtfp.org>
Sender:
owner-keydist@cafax.se
Subject:
Re: hello!
Hmmm. It seems that we want to quantify... -- the usage of a key in the directory -- is a multi-purpose key something we want to support -- is the solution to be "format agnostic" (e.g. it's a blob, you parse it yourself) -- what "usage types" are appropriate for DNS If we are to begin at the beginning, we need to enumerate requirements for keys. One I want to have is to be able to store ssh keys, at least for use in accessing infrastructure devices. In other words, I can see the point that storing the SSH keys for my desktop linux system might not be an appropriate use of DNS, but I think that storing the SSH keys for my router is appropriate. As I understand the objections in the DNSEXT WG, they were sort of saying that "application keys are not something the DNS should be used to store". I would like to interpret that as "non-infrastructure-related application keys". Or, perhaps, "not keys for which there are other directory mechanisms". In other words, I dont' think anyone is asking to store something like a PKIX CRL in DNS. At 11:57 AM 12/13/2001 -0500, Derek Atkins wrote: >Hi, Rodney, > >Indeed, we're trying to come up with requirements for various >applications. > >My strawman proposal is that: > - a DNS key-storage record will store keys > - applications can design their own policy/configuration-storage records > to store application policy/configuration information > >But there are still a lot of open questions. For example, can we >use a single, subtyped "generic application key/certificate storage >RR type" and use LHS names to differentiate the key-usage types. >Alternatively, we can split various key formats into different >RR types (raw keys, x.509 certs, pgp keys, spki certs, etc)... >Or we can even do a combination of them all. > >But stepping back from all this, can we come up with a set of >requirements for key storage (in general)? > >-derek > >Rodney Thayer <rodney@tillerman.to> writes: > > > Hello there. I'm Rodney Thayer, I am interested in participating > > in the discussion of storing SSH keys in DNS. I am a security > > architect/implementor/crypto plumber -- I'm currently working on > > Secure DNS things but I've also recently worked on public key > > applications, such as SSH (and legacy things like PKIX certificates) > > > > So... I believe the topic here is what are the requirements for > > storing SSH keys in DNS. Is that correct? > > (I'll take silence as a yes and simply keep babbling into the > > microphone here...) > > > > P.s. I'm also a co-author on the SSH key format draft. > > > >-- > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > Member, MIT Student Information Processing Board (SIPB) > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH > warlord@MIT.EDU PGP key available