To:
Derek Atkins <warlord@MIT.EDU>
CC:
Ted.Hardie@nominum.com, keydist@cafax.se
From:
Steve Hanna <steve.hanna@sun.com>
Date:
Fri, 04 Jan 2002 15:23:19 -0500
Delivery-Date:
Fri Jan 4 21:25:22 2002
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
Derek Atkins wrote: > Steve Hanna <steve.hanna@sun.com> writes: > > Using DNSSEC for key distribution is certainly *more* likely to > > perpetuate a monopoly than using certificates, since DNSSEC requires > > a single global trusted root. Many organizations (like Sun) have > > set up their own CAs and installed those as their trust anchor. > > Server applications are often the first to move over to the new > > trust anchor, since they only need to be configured once. > > And you setup "sun.com" as your secure zone and just as you currently > distribute the sun.com CA key to your browsers, you can distribute the > sun.com zone key to your resolvers. I don't see your point. With DNSSEC, there's no way for sun.com to cross-certify with other zones. And there's no way to indicate which cross-certificates can be used with which applications. My point is that these are important features that are not available if you use keys in DNSSEC. > Why are you forcing certificates when they are not necessary? Can we > step back from this discussion and talk about requirements, please? I > think we've rat-holed in details and might be missing the forest for > the trees (or at least missing the certificates for the keys ;) Requirements. Good idea. -Steve