To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Thu, 03 Jan 2002 11:18:32 -0500
Delivery-Date:
Thu Jan 3 18:59:31 2002
In-reply-to:
Your message of "Wed, 02 Jan 2002 20:29:20 PST." <p0510100eb8598733d1e3@[165.227.249.20]>
Sender:
owner-keydist@cafax.se
Subject:
Re: What are we trying to do?
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "IMC" == IMC <Paul> writes: IMC> Three broad categories of mechanisms for getting the public key of IMC> another host are: IMC> (a)(1) Ask the host itself IMC> (a)(2) Ask a server that is somehow associated with the host IMC> (a)(3) Ask a bunch of servers that are not associated with the host IMC> but are known to have a bunch of keys IMC> The "do it in the DNS" solutions appear to be (a)(2) plus (b)(1). Ask IMC> the server which knows about the DNS records for the server in IMC> question; chain through certificates to the DNS root. Note that the easiest DNS server to find that knows something about the host is the reverse map server. It is also the situation that when a packet arrives which needs to be authenticated (or cause some mechanism to be started which will authenticate that packet), it may be that the only thing that one can know: the source IP. If there is something that the DNS people can do is to actively push DNSUPD for filling contents of the reverse map. IMC> A completely minimal PKIX certificate for a 1024-bit key is about 400 IMC> octets long; a typical certificate is closer to 500 octets. This IMC> means that passing more than certificate in UDP is going to take IMC> either packets >576 octets (or whatever the magic number is these IMC> days for minimal PMTU) or it will have to happen in multiple round IMC> trips. With 1280 as the IPv6 min PMTU, things look a little bit better. Since the reverse maps are so screwed, we have considered a protocol that essentially uses DNS as the transport, but asks the host itself, i.e: dig @A.B.C.D D.C.D.A.in-addr.arpa. key Finally, this discussion about "application" keys is somewhat silly. In the case of IPsec and SSH we do not believe that they are applications to anyone other than the DNS folks. Many operations people consider these protocols to be *infrastructure*. If the fundamental security protocols do not work, then the Internet does not work. (SNMP over IPsec appears to be the only useful way to do that, and SSH has become standard interface to CLIs) ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPDSEVoqHRg3pndX9AQF3UQP/WVsvfySA7dzhIUC92Dam0iLIjcgnnE/V tavyRLSDLJG47kaXAFAm5Hvx7/pXKmPHbLz3ySEGMgEjt1hjh0tEQCyYSe0JUydZ ggC/ckv3KPQTw2m78CrpE6+POlQ/tv7uQPxRJUHcaCZNiyAJ1n1HLo6cmdEvojd+ BEfL/ptrcwA= =W9lw -----END PGP SIGNATURE-----