To:
Steve Hanna <steve.hanna@sun.com>
Cc:
Paul Hoffman / IMC <phoffman@imc.org>, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
04 Jan 2002 10:52:40 -0500
Delivery-Date:
Fri Jan 4 17:01:59 2002
In-Reply-To:
Steve Hanna's message of "Thu, 03 Jan 2002 12:55:38 -0500"
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
Steve Hanna <steve.hanna@sun.com> writes:
> Yes, a top-down trust model with a single root may work for some
> people. We certainly shouldn't prohibit it. But we shouldn't require
> it, either. And using DNSSEC to distribute raw keys forces you into
> that trust model. I think we're in agreement about this!
>
> I was trying to focus on your earlier comment:
>
> > Everyone: you have to decide whether you want certs or keys.
>
> My point was that certs have some important advantages over DNSSEC
> for key distribution.
There are some applications (e.g. SSH, Linux FreeS/WAN) that use raw
public keys. I think we should support them and provide an
infrastructure for them. Considering that both SSH and IPsec are
closely tied to current DNS functionality (i.e. A-record lookup), I
believe that forcing the SSH/IPsec key into the same DNSSec hierarchy
as the A record is perfectly acceptible.
I also believe that the current PGP Keyservers have long over-run
their usefulness and being able to store and distribute PGP keys is
also a worthwhile goal. The requirements are slightly different for
PGP than for SSH/IPsec, mostly because the latter are host-based
identification and the former are user-based.
My point is that suggesting that all keys be "certificates (in the
PGP/X.509 sense of the word)" is doing a disservice to the community.
You are basically telling SSH and FreeS/WAN to piss off, and I
believe that is not only unfair but downright wrong. :)
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available