To:
Keith Moore <moore@cs.utk.edu>
Cc:
keydist@cafax.se
From:
Greg Hudson <ghudson@MIT.EDU>
Date:
10 Jan 2002 00:07:51 -0500
In-Reply-To:
<200201092038.g09Kc3i24977@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: RESCAP/RC: an alternative to key distribution using DNS
On Wed, 2002-01-09 at 15:38, Keith Moore wrote: > Since people seem to be interested in using DNS to distribute keying > material, I thought I'd suggest a (somewhat) concrete alternative. I'm becoming a little frustrated by the argument that goes: 1. People shouldn't axiomatically trust DNSSEC. 2. ??? 3. Therefore, we should use this other method which precludes using a DNSSEC signature chain to verify application keys. where "this other method" is usually a SRV or NAPTR referral to some other protocol. How do people go from "not axiomatically" to "never?" (I am perfectly happy with a referral to another protocol, as long as that referral includes something--even something as small as a key fingerprint--which can allow DNSSEC trust to be chained onto application keys. Just in case people decide, not axiomatically, that they want to trust that, or to use it for additional verification. I believe a key fingerprint can be shoehorned into NAPTR with the definition of a new flag.)