To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 04 Jan 2002 15:43:40 -0500
Delivery-Date:
Fri Jan 4 21:45:33 2002
In-reply-to:
Your message of "Fri, 04 Jan 2002 12:59:08 EST." <3C35ED6C.836FF61D@sun.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Steve" == Steve Hanna <steve.hanna@sun.com> writes:
Steve> Derek Atkins wrote:
>> My point is that suggesting that all keys be "certificates (in the
>> PGP/X.509 sense of the word)" is doing a disservice to the community.
>> You are basically telling SSH and FreeS/WAN to piss off, and I
>> believe that is not only unfair but downright wrong. :)
Steve> That's certainly not what I intended.
Steve> Let me review where I think we are. SSH uses preconfigured keys.
Steve> You want a more scalable and less error-prone mechanism for securely
Steve> distributing keys. We're discussing various options. The primary
Steve> candidates seem to be:
Steve> 1) storing keys in DNS, authenticated with DNSSEC
Steve> 2) certificates (X.509, PGP, or whatever), stored in DNS
Steve> 3) certificates, exchanged in application protocols
Steve> 4) certificates, stored in some other location (like an LDAP
Steve> directory)
Steve> I pointed out that one big disadvantage of solution 1) is that
Steve> DNSSEC uses a top-down trust model with a single root. That
Steve> may be OK for DNS, but it's a bummer for many other applications
Steve> (including SSH, I would suggest).
Why?
I control sandelman.ottawa.on.ca. I have that control based upon DNS.
I put keys in for my hosts into DNS. While DNS may have a single ., it may
be that I'll never trust it. I *do* however, trust the key at sandelman.ottawa.on.ca.
(i.e. I configure all my hosts to all trust it).
This works just fine for my users. They no longer need to worry when they
login to a host they have never logged into before if the host is
correct.
If I give you an account on a machine here then we may have to deal with
cross-enterprise trust. We either have a bilateral agreement (could be TSIG)
or we trust a third party.
But, if you don't trust me (directly or indirectly) to give you the A
record, then why would you trust any system to provide you with the public
key?
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPDYT+IqHRg3pndX9AQGOhQP/du52p/+C4Fp6GrwKTPZFSnVZrmdTA0a7
XNq8W/XI0LZOtX1XA7nyl9PrnzSa0A2ysbOuvX8sf60EzwE+FJoo/BiENeRIBkx3
UUMDSbatETMj6NPuh2U1YM3IZKaZiKz4gXTNUZFXhSBLNaFwDcRmZP5xOOkxk+Zo
1/UpdGxGgX8=
=a8It
-----END PGP SIGNATURE-----