KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: keydist@cafax.se
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 03 Jan 2002 11:18:32 -0500
Delivery-Date: Thu Jan 3 18:59:31 2002
In-reply-to: Your message of "Wed, 02 Jan 2002 20:29:20 PST." <p0510100eb8598733d1e3@[165.227.249.20]>
Sender: owner-keydist@cafax.se
Subject: Re: What are we trying to do?

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "IMC" == IMC  <Paul> writes:
    IMC> Three broad categories of mechanisms for getting the public key of 
    IMC> another host are:
    IMC> (a)(1) Ask the host itself
    IMC> (a)(2) Ask a server that is somehow associated with the host
    IMC> (a)(3) Ask a bunch of servers that are not associated with the host 
    IMC> but are known to have a bunch of keys

    IMC> The "do it in the DNS" solutions appear to be (a)(2) plus (b)(1). Ask 
    IMC> the server which knows about the DNS records for the server in 
    IMC> question; chain through certificates to the DNS root.

  Note that the easiest DNS server to find that knows something about the
host is the reverse map server. It is also the situation that when a packet
arrives which needs to be authenticated (or cause some mechanism to be
started which will authenticate that packet), it may be that the only thing
that one can know: the source IP.

  If there is something that the DNS people can do is to actively push DNSUPD 
for filling contents of the reverse map.

    IMC> A completely minimal PKIX certificate for a 1024-bit key is about 400 
    IMC> octets long; a typical certificate is closer to 500 octets. This 
    IMC> means that passing more than certificate in UDP is going to take 
    IMC> either packets >576 octets (or whatever the magic number is these 
    IMC> days for minimal PMTU) or it will have to happen in multiple round 
    IMC> trips.

  With 1280 as the IPv6 min PMTU, things look a little bit better.

  Since the reverse maps are so screwed, we have considered a protocol that 
essentially uses DNS as the transport, but asks the host itself, i.e:
	    dig @A.B.C.D D.C.D.A.in-addr.arpa. key

  Finally, this discussion about "application" keys is somewhat silly.

  In the case of IPsec and SSH we do not believe that they are applications
to anyone other than the DNS folks. Many operations people consider these
protocols to be *infrastructure*. If the fundamental security protocols do
not work, then the Internet does not work. 
  (SNMP over IPsec appears to be the only useful way to do that, and SSH has
become standard interface to CLIs)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPDSEVoqHRg3pndX9AQF3UQP/WVsvfySA7dzhIUC92Dam0iLIjcgnnE/V
tavyRLSDLJG47kaXAFAm5Hvx7/pXKmPHbLz3ySEGMgEjt1hjh0tEQCyYSe0JUydZ
ggC/ckv3KPQTw2m78CrpE6+POlQ/tv7uQPxRJUHcaCZNiyAJ1n1HLo6cmdEvojd+
BEfL/ptrcwA=
=W9lw
-----END PGP SIGNATURE-----

References:
- Re: What are we trying to do?
  - From: Paul Hoffman / IMC <phoffman@imc.org>

Prev by Date: Re: From whence we came...
Next by Date: Re: From whence we came...
Prev by thread: Re: What are we trying to do?
Next by thread: Re: What are we trying to do?
Index(es):
- Date
- Thread

Home | Date list | Subject list