To:
Simon Josefsson <simon+keydist@josefsson.org>
CC:
Keith Moore <moore@cs.utk.edu>, Derek Atkins <warlord@MIT.EDU>, Ted.Hardie@nominum.com, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Steve Hanna <steve.hanna@sun.com>
Date:
Wed, 09 Jan 2002 16:33:40 -0500
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
Keith seems to be raising a concern that I raised earlier on this list: DNSSEC imposes a top-down, single root trust model. That's often inappropriate. I suggested that certificates be used in order to avoid this problem. X.509 certificates can certify DNS names and the DNS can be used to store these certificates or to point to other repositories (like an LDAP directory) that store them. And X.509 certificates can support many trust models. The main objection to this that I heard was that certificates are too complex. And DNSSEC is good enough for some people. We should let them define standards for this. If we're going to continue this discussion, we might as well have the past context in mind. -Steve Simon Josefsson wrote: > > Keith Moore <moore@cs.utk.edu> writes: > > > I'm aware that the discussion started in terms of using DNS. I don't > > know how the charter will end up, whether it will presume DNS as part > > of the solution or not. IMHO it would be wrong for the charter to > > presume DNS distribution and DNSSEC as mechanisms even if the charter > > were limited to associating key material with DNS-based names. > > A protocol that wants to achieve global key distribution, which > _doesn't_ presume DNS, will have severe operational problems. > > Why? Because SSH, IPSEC, OpenPGP etc use DNS hostnames (or IP > addresses), and they need to look up keys given these hostnames/IP > addresses. Designing a system that looks up keys for a hostname/IP > that doesn't use DNS requires more or less building up the same > infrastructure as DNS already have -- all domain owners should be able > to place public keys for their hosts in that system. Adding the > security requirement that noone _other_ than the domain owner should > be able to store anything for the domain complicates matters. > > I believe that "name to address" and "name to keys" mapping should be > handled by the same system. DNS performs "name to address" mapping, > and with DNSSEC all mechanisms that are needed to distribute keys are > available as well.