To:
Rodney Thayer <rodney@tillerman.to>
Cc:
Derek Atkins <warlord@MIT.EDU>, keydist@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 13 Dec 2001 18:31:40 -0500
Delivery-Date:
Fri Dec 14 01:02:19 2001
In-Reply-To:
<5.1.0.14.2.20011213111446.056e1f10@127.0.0.1>
Sender:
owner-keydist@cafax.se
Subject:
Re: hello!
At 1:20 PM -0500 12/13/01, Rodney Thayer wrote: >If we are to begin at the beginning, we need to enumerate requirements >for keys. One I want to have is to be able to store ssh keys, >at least for use in accessing infrastructure devices. Yup, ironically though, we aren't at the beginning, but what progress has been already made has taught us that we need requirements. >In other words, I can see the point that storing the SSH keys for my >desktop linux system might not be an appropriate use of DNS, but >I think that storing the SSH keys for my router is appropriate. I'd like to debate that, but not in this thread. I have no problem with desktop keys (as they are the same as router login keys). The router admin may not be any close to the DNS admin than a host admin. >As I understand the objections in the DNSEXT WG, they were sort of >saying that "application keys are not something the DNS should be used to >store". I would like to interpret that as "non-infrastructure-related >application keys". Or, perhaps, "not keys for which there are other >directory mechanisms". In other words, I dont' think anyone is asking >to store something like a PKIX CRL in DNS. The DNSEXT objection was pretty much as you say. However, I have already written code that pulled CRL's from DNS. (The CERT record is suitable for CRLs.) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Opinions expressed are property of my evil twin, not my employer.