To:
Keith Moore <moore@cs.utk.edu>
Cc:
Ted.Hardie@nominum.com, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
09 Jan 2002 15:23:06 -0500
In-Reply-To:
Keith Moore's message of "Wed, 09 Jan 2002 15:18:25 -0500"
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
Keith Moore <moore@cs.utk.edu> writes:
> > DNSSec provides the origin authentication (and integrity protection)
> > of the blobs.
>
> DNSSEC might provide *one* means of authenticating the origin and
> integrity of such blobs - and only if DNS is used to distribute
DNSSec works even if you don't know what the blob means.
> the blobs (and it seems like a poor mechanism to me). The blobs
> could also provide their own means of verifying authentication and
> integrity, and the key distribution mechanism could provide its own
> means of doing so independent of DNSSEC.
This discussion started with "whether and how to distribute keying
information in DNS". You may think that DNS is not the right place to
distribute keys, and for some application I would agree with you.
However, there are other applications for which DNS is IMHO the
absolute correct place to distribute keys (e.g. IPsec and SSH host
keys).
> Keith
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available