To:
Derek Atkins <warlord@MIT.EDU>
cc:
Steve Hanna <steve.hanna@sun.com>, Simon Josefsson <simon+keydist@josefsson.org>, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Keith Moore <moore@cs.utk.edu>
Date:
Mon, 14 Jan 2002 16:15:04 -0500
In-reply-to:
Your message of "14 Jan 2002 15:09:52 EST." <sjmg058u227.fsf@kikki.mit.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: looking for draft volunteers
> As I just pointed out, it is not. You still need LDAP over TLS with > either the SSL key or key fingerprint signed by DNSSec. agreed that the keys you get from the lookup protocol must be signed by DNSsec in order for DNSsec to be of use in helping the client establish trust in those keys. however, TLS isn't a very scalable mechanism for authenticating the results of that lookup, since if effectively insists that all of the keys you get from any particular server be signed by the TLS key. trusting TLS for this purpose essentially forces you to have a separate lookup server for each DNS zone. far better to use a protocol which allows each looked-up key to return its own certs. Keith