To:
Randy Bush <randy@psg.com>
Cc:
keydist@cafax.se
From:
RJ Atkinson <rja@extremenetworks.com>
Date:
Tue, 26 Mar 2002 15:26:50 -0500
In-Reply-To:
<E16px0w-000Kye-00@rip.psg.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: My take on the BoF session
On Tuesday, March 26, 2002, at 02:53 , Randy Bush wrote: > oh, like sending a cert for my ldap server which serves psg.com's > pgp, ssh, and sushi cabinet keys, as well as the whois data for > users, subdomains, addres space, ...? Perhaps I'm too stupid. However, I have consistently found it terribly difficult to operate a real CA -- not because the functions are intrinsically difficult in theory, but because operating a bunch of extra infrastructure is MUCH harder and the CAs that I can locate are needlessly hard to operate. My own experiments with DNSsec in a private network have, so far, indicated that would be a more operationally practical approach than using CAs and X.509v3 all over the place. YMMV. In particular, even if I used CAs and CERTs for everything else, I'd still need to do all the DNSsec stuff to ensure that IP address resolution (etc) is authenticated appropriately. By leveraging the DNSsec stuff, I cut the amount of work I need to do roughly in half, which is a huge benefit. Ran