To:
Simon Josefsson <simon+keydist@josefsson.org>
Cc:
keydist@cafax.se
From:
Randy Bush <randy@psg.com>
Date:
Mon, 31 Dec 2001 11:56:52 -0800
Delivery-Date:
Mon Dec 31 20:57:01 2001
Sender:
owner-keydist@cafax.se
Subject:
Re: What are we trying to do?
>> having the ldap server be available only authed and crypted, and serving > ^^^^^^ ^^^^^^^ > This is where the problem is -- how do you propose to achieve auth/crypt? > Assuming symmetric techniques are used; the client and server need to > have exchanged keying material via some secure channel earlier. good point. but ... the apps folk have had two rrs added to the dns to supposedly meet their needs, srv and naptr. if neither of these provides a way to form a safe security association, then one or both of them are broken and should be fixed. what should not happen is adding more and more rrs (or overloading current ones) until they figure out how to get it right. randy