To:
keydist@cafax.se
cc:
moore@cs.utk.edu
From:
Keith Moore <moore@cs.utk.edu>
Date:
Wed, 09 Jan 2002 15:38:03 -0500
Sender:
owner-keydist@cafax.se
Subject:
RESCAP/RC: an alternative to key distribution using DNS
Since people seem to be interested in using DNS to distribute keying material, I thought I'd suggest a (somewhat) concrete alternative. The RESCAP working group is working on the design of a protocol to be used to allow the lookup of meta-information that is associated with resource identifiers such as URIs. The Resource Catalog (RC) protocol is being considered for this protocol. Basically RC assumes that there is some well-defined process for mapping a URI to one or more servers that can perform the lookup. The server is probably identified using a a NAPTR/SRV lookup mechanism similar to that defined in RFC 2168 and RFC 2915. (in particular, NAPTR allows this process to be adaptable to the variety of URI syntaxes in use). The RC protocol itself is specifically designed to allow the client to request named metadata that are associated with a resource name. Arbitrary sets of metadata can be requested, and the kinds of metadata that can be associated with a resource name are arbitrarily extensible without changes to the RC servers. The RC protocol provides its own mechanisms for signing arbitrary sets of metadata without constraining the signature formats that can be used. Both the metadata and the signatures are opaque to the RC server. Distribution of key material is one of many applications for which RC was designed. But especially since I'm not a security expert, it's entirely possible that there is some aspect of RC's design that is deficient for this purpose. I'd very much appreciate comments from this group on the suitability of RC for this application. The relevant documents are: draft-ietf-rescap-rc-00.txt - RC protocol draft-ietf-rescap-blob-00.txt - presentation layer used by RC PDUs These documents are of course works in progress, and several aspects of the RC protocol (notably authentication for queries and updates) have not yet been defined. The rescap WG mailing list is at rescap[-REQUEST]@cs.utk.edu . Keith