KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Greg Hudson <ghudson@MIT.EDU>
cc: Mats Dufberg <dufberg@telia.net>, keydist@cafax.se
From: Keith Moore <moore@cs.utk.edu>
Date: Mon, 14 Jan 2002 14:12:24 -0500
In-reply-to: Your message of "Mon, 14 Jan 2002 12:57:08 EST." <Pine.LNX.4.30L.0201141247410.2332-100000@error-messages.mit.edu>
Sender: owner-keydist@cafax.se
Subject: Re: RESCAP/RC: an alternative to key distribution using DNS

> > On Jan 10, 2002, 20:09 (-0500) Greg Hudson <ghudson@MIT.EDU> wrote:
> >
> > > I'm a little leery of this approach; it means that the same private key
> > > has to be used to sign both DNS and non-DNS data.  Maybe that's okay, but
> > > it sounds like a violation of
> [Hm, I trailed off here.  "a violation of good security principles."]
> >
> > No, you could use a separate key for signing application keys.
> 
> Uh, no; you must be misunderstanding something (and you certainly aren't
> being very explicit).  To recap, here are the incompatible constraints:
> 
>   1. (Mine) We have to be able to establish a security chain from the DNS
>      root to the application data, 

agree with this part...

>      such that a client which starts out
>      knowing only the public key of the DNS root can securely associate
>      application data with DNS names.

...  but it doesn't imply the second part.  no client should axiomatically
trust "the public key of the DNS root" - that's investing far too much
trust in one organization.  it would be completely irresponsible for
IETF to recommend that clients invest such trust.  

nor does trust in the root (or any zone) imply that the zones under 
it should be trusted.

instead, clients need to be configurable as to which public keys they
trust, and for what purposes.  there's no getting around this.

>   2. (Mine) We can't use the same key to sign DNS and non-DNS data.  (That
>      is, if a private key is accessible to whoever signs a DNS zone, it
>      shouldn't also be accessible to whoever signs a RESCAP data set or
>      whatever.)

just curious, why do you say this?  as long as the signatures are made by 
the same party, why shouldn't the same private key be used?

>   3. (Keith's) We can't have any keys or key fingerprints in DNS except
>      for the KEY records which protect DNS data.

that's not what I said.  

I don't claim to know enough about DNSSEC to specify exactly how the
keys or fingerprints should be stored, but I do know enough about NAPTR 
to know that they don't belong there.

Keith

Follow-Ups:
- Re: RESCAP/RC: an alternative to key distribution using DNS
  - From: Ted Hardie <Ted.Hardie@nominum.com>
- Re: RESCAP/RC: an alternative to key distribution using DNS
  - From: Derek Atkins <warlord@MIT.EDU>

References:
- Re: RESCAP/RC: an alternative to key distribution using DNS
  - From: Greg Hudson <ghudson@MIT.EDU>

Prev by Date: Re: RESCAP/RC: an alternative to key distribution using DNS
Next by Date: Re: RESCAP/RC: an alternative to key distribution using DNS
Prev by thread: Re: RESCAP/RC: an alternative to key distribution using DNS
Next by thread: Re: RESCAP/RC: an alternative to key distribution using DNS
Index(es):
- Date
- Thread

Home | Date list | Subject list