To:
Randy Bush <randy@psg.com>
Cc:
keydist@cafax.se
From:
RJ Atkinson <rja@extremenetworks.com>
Date:
Tue, 26 Mar 2002 14:16:19 -0500
In-Reply-To:
<E16pw8W-000JIr-00@rip.psg.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: My take on the BoF session
On Tuesday, March 26, 2002, at 01:57 , Randy Bush wrote: >> Example: inet.org could use its own key to sign DNS records >> under inet.org and could distribute the authentication key >> for inet.org's records via out-of-band/non-DNS methods. > > this seems a fantastic improvement over inet.org distributing the > ssh keys themselves via oob. Sarcasm noted, but it actually would be a big improvement. I'll assume that the scaling benefit wasn't obvious and add more detail below. Instead of having to use OOB methods to distribute a large number of keys (some of which change relatively frequently) to a large number of correspondents (which approach is O[n * m] complexity), one can distribute *1* authentication key (which would not change often at all) to the same number of correspondents (which approach is O[m] complexity). In Computer Science, we normally consider it a fantastic win if we can reduce something from geometric complexity to something much less complex. And that is assuming that one has Keith's concerns about the root. If one considers the case of the US DoD (which conveniently has their own TLD, for historical reasons), and can strongly influence the root key's assurance properties, the scaling properties are even better than for a single subdomain. Ran rja@extremenetworks.com