To:
Keith Moore <moore@cs.utk.edu>
Cc:
Ted.Hardie@nominum.com, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
09 Jan 2002 16:49:30 -0500
In-Reply-To:
Keith Moore's message of "Wed, 09 Jan 2002 16:32:01 -0500"
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
Keith Moore <moore@cs.utk.edu> writes: > mumble. My trust in ssh keys is based on prior experience in using > that key to interact with a particular host - hopefully the key If you go read the archive, you will notice that a couple days ago I sent a suggested "ssh key validation protocol" that uses DNSSec for extra validation of ssh keys during the initial-contact period. If a key isn't in your cache, you can use DNSSec to improve the validation of that key. > is initially obtained over a network that is secure or unlikely to > be compromised, or the key obtained in this manner can be verified > out-of-band. Trust in DNSSEC is based on different factors. This is indeed the problem that DNSSec can solve -- helping secure the key for initial contact. > While I wouldn't mind having the ability to verify ssh keys using > DNSSEC, I wouldn't necessarily want DNSSEC verification axiomiatically > treated as valid by ssh. This is an application/user decision. One would hope that the application designer would give you this option. However that does not invalidate the usefulness of DNSSec as stated. > And this is still a different issue from putting ssh keys directly > in DNS. Oh? Why? [snip] > Offhand that sounds like a good scope. I might also include IP addresses. Um, yea, *blush*, sorry, of course IP addresses, too. > Keith -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available