To:
Randy Bush <randy@psg.com>
Cc:
Edward Lewis <lewis@tislabs.com>, Key Distribution <keydist@cafax.se>
From:
David Conrad <david.conrad@nominum.com>
Date:
Fri, 28 Dec 2001 11:25:49 -0800
Delivery-Date:
Fri Dec 28 20:25:53 2001
In-Reply-To:
<E16Js5Y-000Oj8-00@rip.psg.com>
Sender:
owner-keydist@cafax.se
User-Agent:
Microsoft-Entourage/10.0.0.1331
Subject:
Re: What are we trying to do?
On 12/28/01 12:10 AM, "Randy Bush" <randy@psg.com> wrote: > i am not a pki expert, so, unlike some, will refrain from judgement. > let's see your license and registration. I wasn't aware you believe yourself to be the Internet's Policeman. Explains a bit. > notice that the pki folk from security have not asked us to store keys > in the dns for a while. I have seen suggestions for putting for SSH keys, PGP keys, and X.509 certs (and CRLs) in the DNS several times recently. Folks at JHU and (I believe) NAI have working code that puts SSH keys in the DNS. FreeSWAN is using the KEY RR despite some individuals concern that this would be inappropriate (and the KEY RR being designed to do this). I'm sure there are other applications of which I'm unaware. I would have thought even you would consider the folks at NAI or those doing FreeSWAN as "folk from security". I guess they don't have the appropriate license and registration cards. In any event, as I prefer to view such suggestions in the context of working code as opposed to the credentials of the requestors (I know, I'm a maverick), I had thought it would be a good idea to clarify what people who do want to put keys in the DNS (be they PKI experts or not) should do. Note that I'm not indicating that I believe it to be a good idea or not -- as you indicate, I am not a card carrying security expert. However, as people are doing it and some are doing it in a way that at least a few people consider "wrong", coming up with a standardized way of placing keys in the DNS seems like a good idea. We can then even let the market decide whether the whole concept is a good idea or not. > and the hard core security folk i listen to > have yet to make clear to me what path they want to take. when they do > so in a formal way, then we might have some basis to discuss this. Given there is already working code that makes use of the DNS for publishing keys, perhaps the license and registration carrying security folk should be encouraged to explain why doing so is bad? Since you seem to know who these individuals are, perhaps you should ask them to participate? > imiho, pki is a job that starts in the security area, Perhaps interesting to note it started in 1995. > not we who have > spent six+ years fumbling at designing and deploying somewhat secure > dns, and have yet to succeed. Wasn't DNSSEC defined in the security area? This probably isn't the place to get into discussing why deploying DNSSEC has failed to date. > maybe we should do that well, before > having the hubris to take on everyone else's job. So nice of you to protect everyone else's job. Part of your role as the Internet's Policeman, I gather. Rgds, -drc