To:
Steve Hanna <steve.hanna@sun.com>
Cc:
Derek Atkins <warlord@MIT.EDU>, Ted.Hardie@nominum.com, keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Fri, 04 Jan 2002 22:12:42 +0100
Delivery-Date:
Fri Jan 4 22:14:22 2002
In-Reply-To:
<3C360F37.890F753D@sun.com> (Steve Hanna's message of "Fri, 04Jan 2002 15:23:19 -0500")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090005 (Oort Gnus v0.05) Emacs/21.1.50(i686-pc-linux-gnu)
Subject:
Re: From whence we came...
Steve Hanna <steve.hanna@sun.com> writes: > Derek Atkins wrote: >> And you setup "sun.com" as your secure zone and just as you currently >> distribute the sun.com CA key to your browsers, you can distribute the >> sun.com zone key to your resolvers. I don't see your point. > > With DNSSEC, there's no way for sun.com to cross-certify with other > zones. And there's no way to indicate which cross-certificates > can be used with which applications. My point is that these are > important features that are not available if you use keys in DNSSEC. If you need cross-certification, you can exchange TSIG keys between the two domains and run TSIG protected DNS. Storing keys in DNS is for global uses where cross-certification does not scale.