To:
Johan Ihren <johani@autonomica.se>
Cc:
Keith Moore <moore@cs.utk.edu>, sommerfeld@orchard.arlington.ma.us, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Tue, 26 Mar 2002 19:44:48 +0100
In-Reply-To:
<2c3cynqzoq.fsf@snout.autonomica.net> (Johan Ihren's message of"26 Mar 2002 13:30:13 +0100")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.2 (i686-pc-linux-gnu)
Subject:
Re: My take on the BoF session
Johan Ihren <johani@autonomica.se> writes: > I.e. while I fully agree that the chain of trust from the public DNS > root down to your random zone deep-down-in-the-tree may be difficult > to assess, that could be improved by the CA selling service in the > form of delegation of > > autonomica.customer.[some CA].com > > to me. Then you and I both aquire the trusted key for [some CA].com > and things have suddenly improved from what we have today. Trust > analysis becomes possible since there are no unknown entities between > me and the CA and the public DNS root is out of the equation. > > True, the domainname is a bit more unwieldy. But depending upon the > amount of trust that you're looking for that may or may not be > acceptable. Yes, this is a good idea. It is very similar to what PGP users already do, they configure their software to use (trust) e.g. keyserver.net or wwwkeys.pgp.net. Now, if the software used DNS and looked up 0x1234.keyserver.net instead of doing things over HTTP we would have this working. It is similar to what I'd like to see in SSH as well, you could configure your SSH client to trust particular DNSSEC keys and you would not have to answer any questions when connecting to hosts with keys in DNS signed by that trusted DNSSEC zone. This model was implied by some of the use cases (section 5) in draft-josefsson-siked-framework-00.txt but unfurtunately that document might be a bit unclear on things.