To:
Keith Moore <moore@cs.utk.edu>
Cc:
Steve Hanna <steve.hanna@sun.com>, Simon Josefsson <simon+keydist@josefsson.org>, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
14 Jan 2002 17:39:22 -0500
In-Reply-To:
<200201142115.g0ELF4i29744@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject:
Re: looking for draft volunteers
Keith Moore <moore@cs.utk.edu> writes: > > As I just pointed out, it is not. You still need LDAP over TLS with > > either the SSL key or key fingerprint signed by DNSSec. > > agreed that the keys you get from the lookup protocol must be signed > by DNSsec in order for DNSsec to be of use in helping the client establish > trust in those keys. > > however, TLS isn't a very scalable mechanism for authenticating the > results of that lookup, since if effectively insists that all of the > keys you get from any particular server be signed by the TLS key. > trusting TLS for this purpose essentially forces you to have a > separate lookup server for each DNS zone. Eh? DNS hands you back a DNSSec-signed message that basically says: contact <your-URI-here> using <your-KEY-here> That's called a "secure referral" and now you go off using SSL (perhaps with a self-signed certificate) to protect your lookup method. The whole point of this exercise was that some people wanted to have DNSSec refer users/applications to an external protocol to obtain keys. If you're going to do that you need a trust path to the secure protocol. This does not imply that your SSL key is being used to sign the certificates/keys returned by this secondary protocol. The SSL key is being used to protect your key-lookup protocol to make sure that you get the data you requested from the source you were told to request it from. > far better to use a protocol which allows each looked-up key to > return its own certs. Funny that -- thats why a bunch of us want to store the keys in DNS! > Keith -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available