Re: looking for draft volunteers

[Derek Atkins <warlord@MIT.EDU>]

Keith Moore <moore@cs.utk.edu> writes:

> > As I just pointed out, it is not.  You still need LDAP over TLS with
> > either the SSL key or key fingerprint signed by DNSSec.
> 
> agreed that the keys you get from the lookup protocol must be signed
> by DNSsec in order for DNSsec to be of use in helping the client establish
> trust in those keys.  
> 
> however, TLS isn't a very scalable mechanism for authenticating the 
> results of that lookup, since if effectively insists that all of the 
> keys you get from any particular server be signed by the TLS key.
> trusting TLS for this purpose essentially forces you to have a 
> separate lookup server for each DNS zone.

Eh?

DNS hands you back a DNSSec-signed message that basically says:
        contact <your-URI-here> using <your-KEY-here>

That's called a "secure referral" and now you go off using SSL
(perhaps with a self-signed certificate) to protect your lookup
method.

The whole point of this exercise was that some people wanted to
have DNSSec refer users/applications to an external protocol to
obtain keys.  If you're going to do that you need a trust path
to the secure protocol.

This does not imply that your SSL key is being used to sign the
certificates/keys returned by this secondary protocol.  The SSL key is
being used to protect your key-lookup protocol to make sure that you
get the data you requested from the source you were told to request it
from.

> far better to use a protocol which allows each looked-up key to 
> return its own certs.

Funny that -- thats why a bunch of us want to store the keys in DNS!

> Keith

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available