To:
sommerfeld@orchard.arlington.ma.us
Cc:
keydist@cafax.se
From:
RJ Atkinson <rja@extremenetworks.com>
Date:
Tue, 26 Mar 2002 10:26:34 -0500
In-Reply-To:
<20020326001858.563452A4E@orchard.arlington.ma.us>
Sender:
owner-keydist@cafax.se
Subject:
Re: My take on the BoF session
On Monday, March 25, 2002, at 07:18 , Bill Sommerfeld wrote: > Here's a simple problem statement: > > --- > > Presuming the widespread deployment of dns security, provide > infrastructure allowing two systems on the internet to > opportunistically establish secure communications with moderate levels > of assurance with minimal to no preconfiguration. > > ---- What is missing from the above (and from the BOF) that needs to get added back in is some scope limitation: - limiting use of application keys in DNS (with DNSsec) to specific identity types that are natural to the DNS; situations where the DNS semantics and the identity semantics are essentially the same. - Examples: Fully-qualified domain name (maps directly to A record, with identical semantics) IP Address (maps directly to PTR record, with identical semantics) Mailbox name (maps directly to MB record, with identical semantics) - SSH and IPsec want naturally to use those types of identities (and some others not well-suited to putting keys in DNS). When using those particular identities, it would be most sensible to be able to store public keys (signed) in DNS using DNSsec for signatures. - And "moderate assurance" seems quite reasonable to describe what DNSsec would provide for those public keys in the above situations, contrary to Keith's claims. High assurance (relative to IETF, but not DoD) might be X.509v3 with multiple validating signatures or maybe some multiply-signed PGP blobs. IMHO, Ran rja@extremeneworks.com