To:
Derek Atkins <warlord@MIT.EDU>
cc:
Keith Moore <moore@cs.utk.edu>, Ted.Hardie@nominum.com, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Keith Moore <moore@cs.utk.edu>
Date:
Wed, 09 Jan 2002 15:48:53 -0500
In-reply-to:
Your message of "09 Jan 2002 15:23:06 EST." <sjmbsg3nuj9.fsf@indiana.mit.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
> > > DNSSec provides the origin authentication (and integrity protection) > > > of the blobs. > > > > DNSSEC might provide *one* means of authenticating the origin and > > integrity of such blobs - and only if DNS is used to distribute > > DNSSec works even if you don't know what the blob means. It's not clear to me why you need to verify the authenticity or integrity of a blob if you can't interpret the blob anyway. > > the blobs (and it seems like a poor mechanism to me). The blobs > > could also provide their own means of verifying authentication and > > integrity, and the key distribution mechanism could provide its own > > means of doing so independent of DNSSEC. > > This discussion started with "whether and how to distribute keying > information in DNS". You may think that DNS is not the right place to > distribute keys, and for some application I would agree with you. > However, there are other applications for which DNS is IMHO the > absolute correct place to distribute keys (e.g. IPsec and SSH host > keys). I'm aware that the discussion started in terms of using DNS. I don't know how the charter will end up, whether it will presume DNS as part of the solution or not. IMHO it would be wrong for the charter to presume DNS distribution and DNSSEC as mechanisms even if the charter were limited to associating key material with DNS-based names. I agree that there is a large set of applications for which DNS should be part of the mechanism for locating keys. Any application that wants to associate meaning with DNS names, and probably IP addresses, would be a likely customer for such a mechanism. Whether DNS is a good mechanism for actually distributing keys is a different question. Several limitations in the DNS protocol make me dubious about this. Whether DNSSEC is a good mechanism to verify the authenticity of keys is yet another question. As far as I can tell DNSSEC is potentially useful but has narrower applicability than the general key distribution mechanism being considered. Keith