To:
Edward Lewis <lewis@tislabs.com>
Cc:
keydist@cafax.se
From:
RJ Atkinson <rja@extremenetworks.com>
Date:
Thu, 28 Mar 2002 10:52:55 -0500
In-Reply-To:
<v03130311b8c8e3ed7e65@[199.171.39.21]>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
On Thursday, March 28, 2002, at 10:37 , Edward Lewis wrote: > For the purpose of this thread, I will assume that DNS > is a crucial element in the distribution of keys. I suspect the folks who are objecting in the previous thread would/will suggest that the above assertion is unreasonable as an assumption. I'm a bit more sympathetic, but I also think the above assertion is unreasonable to just assume into existence. I think you'd make more progress if you started with a clear crisp rationale justifying the premise above. One of the main problems with the BOF was the lack of justification for the above premise during the BOF. Someone needs to clearly and crisply answer the question below (to the satisfaction of most folks, not necessarily everyone) before working on the mechanical details of how DNSsec-based key distribution should work: What problem is being solved by DNSsec-based distribution of signed keys that is not equally easily solved by use of certificates ? And why are certificates not an equally good solution to that problem ? Cheers, Ran rja@extremenetworks.com