To:
Steve Hanna <steve.hanna@sun.com>
Cc:
Ted.Hardie@nominum.com, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
04 Jan 2002 14:48:28 -0500
Delivery-Date:
Fri Jan 4 20:48:35 2002
In-Reply-To:
Steve Hanna's message of "Fri, 04 Jan 2002 14:14:18 -0500"
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
Steve Hanna <steve.hanna@sun.com> writes:
> Using DNSSEC for key distribution is certainly *more* likely to
> perpetuate a monopoly than using certificates, since DNSSEC requires
> a single global trusted root. Many organizations (like Sun) have
> set up their own CAs and installed those as their trust anchor.
> Server applications are often the first to move over to the new
> trust anchor, since they only need to be configured once.
And you setup "sun.com" as your secure zone and just as you currently
distribute the sun.com CA key to your browsers, you can distribute the
sun.com zone key to your resolvers. I don't see your point.
Why are you forcing certificates when they are not necessary? Can we
step back from this discussion and talk about requirements, please? I
think we've rat-holed in details and might be missing the forest for
the trees (or at least missing the certificates for the keys ;)
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available