To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 04 Jan 2002 15:43:40 -0500
Delivery-Date:
Fri Jan 4 21:45:33 2002
In-reply-to:
Your message of "Fri, 04 Jan 2002 12:59:08 EST." <3C35ED6C.836FF61D@sun.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Steve" == Steve Hanna <steve.hanna@sun.com> writes: Steve> Derek Atkins wrote: >> My point is that suggesting that all keys be "certificates (in the >> PGP/X.509 sense of the word)" is doing a disservice to the community. >> You are basically telling SSH and FreeS/WAN to piss off, and I >> believe that is not only unfair but downright wrong. :) Steve> That's certainly not what I intended. Steve> Let me review where I think we are. SSH uses preconfigured keys. Steve> You want a more scalable and less error-prone mechanism for securely Steve> distributing keys. We're discussing various options. The primary Steve> candidates seem to be: Steve> 1) storing keys in DNS, authenticated with DNSSEC Steve> 2) certificates (X.509, PGP, or whatever), stored in DNS Steve> 3) certificates, exchanged in application protocols Steve> 4) certificates, stored in some other location (like an LDAP Steve> directory) Steve> I pointed out that one big disadvantage of solution 1) is that Steve> DNSSEC uses a top-down trust model with a single root. That Steve> may be OK for DNS, but it's a bummer for many other applications Steve> (including SSH, I would suggest). Why? I control sandelman.ottawa.on.ca. I have that control based upon DNS. I put keys in for my hosts into DNS. While DNS may have a single ., it may be that I'll never trust it. I *do* however, trust the key at sandelman.ottawa.on.ca. (i.e. I configure all my hosts to all trust it). This works just fine for my users. They no longer need to worry when they login to a host they have never logged into before if the host is correct. If I give you an account on a machine here then we may have to deal with cross-enterprise trust. We either have a bilateral agreement (could be TSIG) or we trust a third party. But, if you don't trust me (directly or indirectly) to give you the A record, then why would you trust any system to provide you with the public key? ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPDYT+IqHRg3pndX9AQGOhQP/du52p/+C4Fp6GrwKTPZFSnVZrmdTA0a7 XNq8W/XI0LZOtX1XA7nyl9PrnzSa0A2ysbOuvX8sf60EzwE+FJoo/BiENeRIBkx3 UUMDSbatETMj6NPuh2U1YM3IZKaZiKz4gXTNUZFXhSBLNaFwDcRmZP5xOOkxk+Zo 1/UpdGxGgX8= =a8It -----END PGP SIGNATURE-----