To:
Keith Moore <moore@cs.utk.edu>
Cc:
Derek Atkins <warlord@MIT.EDU>, Ted.Hardie@nominum.com, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Wed, 09 Jan 2002 22:15:24 +0100
In-Reply-To:
<200201092048.g09Kmri25011@astro.cs.utk.edu> (Keith Moore'smessage of "Wed, 09 Jan 2002 15:48:53 -0500")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090005 (Oort Gnus v0.05) XEmacs/21.5 (bamboo,i686-pc-linux)
Subject:
Re: From whence we came...
Keith Moore <moore@cs.utk.edu> writes: > I'm aware that the discussion started in terms of using DNS. I don't > know how the charter will end up, whether it will presume DNS as part > of the solution or not. IMHO it would be wrong for the charter to > presume DNS distribution and DNSSEC as mechanisms even if the charter > were limited to associating key material with DNS-based names. A protocol that wants to achieve global key distribution, which _doesn't_ presume DNS, will have severe operational problems. Why? Because SSH, IPSEC, OpenPGP etc use DNS hostnames (or IP addresses), and they need to look up keys given these hostnames/IP addresses. Designing a system that looks up keys for a hostname/IP that doesn't use DNS requires more or less building up the same infrastructure as DNS already have -- all domain owners should be able to place public keys for their hosts in that system. Adding the security requirement that noone _other_ than the domain owner should be able to store anything for the domain complicates matters. I believe that "name to address" and "name to keys" mapping should be handled by the same system. DNS performs "name to address" mapping, and with DNSSEC all mechanisms that are needed to distribute keys are available as well.