To:
sommerfeld@orchard.arlington.ma.us
Cc:
keydist@cafax.se
From:
RJ Atkinson <rja@extremenetworks.com>
Date:
Tue, 26 Mar 2002 10:26:34 -0500
In-Reply-To:
<20020326001858.563452A4E@orchard.arlington.ma.us>
Sender:
owner-keydist@cafax.se
Subject:
Re: My take on the BoF session
On Monday, March 25, 2002, at 07:18 , Bill Sommerfeld wrote:
> Here's a simple problem statement:
>
> ---
>
> Presuming the widespread deployment of dns security, provide
> infrastructure allowing two systems on the internet to
> opportunistically establish secure communications with moderate levels
> of assurance with minimal to no preconfiguration.
>
> ----
What is missing from the above (and from the BOF) that needs
to get added back in is some scope limitation:
- limiting use of application keys in DNS (with DNSsec)
to specific identity types that are natural to the DNS;
situations where the DNS semantics and the identity semantics
are essentially the same.
- Examples:
Fully-qualified domain name (maps directly to A record,
with identical semantics)
IP Address (maps directly to PTR record, with identical
semantics)
Mailbox name (maps directly to MB record, with identical
semantics)
- SSH and IPsec want naturally to use those types of identities
(and some others not well-suited to putting keys in DNS).
When using those particular identities, it would be most
sensible to be able to store public keys (signed) in DNS
using DNSsec for signatures.
- And "moderate assurance" seems quite reasonable to describe
what DNSsec would provide for those public keys in the
above situations, contrary to Keith's claims. High assurance
(relative to IETF, but not DoD) might be X.509v3 with multiple
validating signatures or maybe some multiply-signed PGP blobs.
IMHO,
Ran
rja@extremeneworks.com