To:
Randy Bush <randy@psg.com>
Cc:
keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Fri, 28 Dec 2001 16:17:55 +0100
Delivery-Date:
Fri Dec 28 16:20:13 2001
In-Reply-To:
<E16Js5Y-000Oj8-00@rip.psg.com> (Randy Bush's message of "Fri,28 Dec 2001 00:10:00 -0800")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.1 (i686-pc-linux-gnu)
Subject:
Re: What are we trying to do?
Randy Bush <randy@psg.com> writes: >> So, to be clear, do you feel that the advantages the existing DNS provide >> in terms of scalability, cachability, reliability, redundancy, etc. have >> insignificant value in the context of public key distribution or do you >> feel it is better to reinvent an architecture that will provide those >> attributes (and if so, why)? > > i am not a pki expert, so, unlike some, will refrain from judgement. > let's see your license and registration. > > notice that the pki folk from security have not asked us to store keys > in the dns for a while. and the hard core security folk i listen to > have yet to make clear to me what path they want to take. when they do > so in a formal way, then we might have some basis to discuss this. > otherwise we have hackola solutions looking for a problem. Ultimately the need should be driven by application writers, and there are input (as drafts) from application WGs that explicitely wants to store application keys in DNS: SSH, IPSEC. I believe PGP folks have also expressed interest in seeing PGP keys distributed via DNS. There are also security requirements from other areas, such as BGP, that might utilize DNS in the solution. I'd say we have plenty of input from other WGs to not worry about there being no problem to solve. PKI (in the PKIX sense) is a different beast than application keys, and I agree there hasn't been much interest in that area. Perhaps focusing on applications keys for SSH, IPSEC and possibly PGP as the first step would generate some momentum.