To:
Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Cc:
Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Ted Hardie <Ted.Hardie@nominum.com>
Date:
Mon, 25 Mar 2002 16:44:09 -0800
Content-Disposition:
inline
In-Reply-To:
<20020326001858.563452A4E@orchard.arlington.ma.us>; from sommerfeld@orchard.arlington.ma.us on Mon, Mar 25, 2002 at 07:18:53PM -0500
Reply-To:
Ted.Hardie@nominum.com
Sender:
owner-keydist@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
Re: My take on the BoF session
On Mon, Mar 25, 2002 at 07:18:53PM -0500, Bill Sommerfeld wrote: > Secured DNS zones provide a secured binding between names and RR's, so > it can potentially be used to bootstrap a DNS name into a key. As those at the meeting know, I put on a large "non-security clueful" hat before speaking, and I'll put it on again now. My take, though, is that the question of when this bootstrapping is and is not appropriate is the critical issue for the security folk. It is easy to fall into thinking that having a data integrity check for the data in a zone (which is what DNSSEC provides) creates a sort of universal root for any chain of trust. If you trust the data in the DNS, after all, it seems obvious that you should put any data you need to trust into the DNS. The problem is, though, that the trust model for the DNS (hierarchical up to the root or a known key) doesn't necessarily match the trust model for an application. I am far from an expert on trust models, but it does seem to me that the trust model for an ad-hoc VPN and the trust model for secure Internet Fax are different, and it doesn't surprise me a whole lot to discover that the security folk get shivers up the spine when we aren't careful in distinguishing the two. In other words, it might help if we bound the problem to a specific type of communication (say, the ad hoc IPSec assocation mentioned by Bill), and check to see if the trust models match with the security clueful before we move on to taking up this work. regards, Ted Hardie