To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 29 Mar 2002 18:32:21 -0500
In-reply-to:
Your message of "Thu, 28 Mar 2002 10:52:55 EST." <DE4CABF2-4263-11D6-91C6-00039357A82A@extremenetworks.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "RJ" == RJ Atkinson <rja@extremenetworks.com> writes: RJ> premise during the BOF. Someone needs to clearly and crisply RJ> answer the question below (to the satisfaction of most folks, RJ> not necessarily everyone) before working on the mechanical RJ> details of how DNSsec-based key distribution should work: RJ> What problem is being solved by DNSsec-based distribution RJ> of signed keys that is not equally easily solved by use of RJ> certificates ? And why are certificates not an equally RJ> good solution to that problem ? a) There is no certification authority which signs keys for where the name is an IP address. Meanwhile, the delegation of the authority of the reverse maps represents an actualy delegation of authority to say which key is which. b) we are already dependant upon the DNS to provide name->IP mapping, and that has to be strongly linked (at the SAME TIME) to the keys to be used for the actual communication. So, a way to ask your question a different way is: "How come we do not map names -> IP addresses using LDAP from a Verisign/Thawte hosted LDAP server?" ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPKT5g4qHRg3pndX9AQHuSAP/eciL4e0CnX5gwWk6LT4xE0qIA6JAOCyd 3qQSQCPNBwEfd3fBp9tfM1ToBCQV1mGlqfN1TEcLhkVUO5hJrDm6hTUPuH34HHB+ c2UVi1YydWNIcd9GCJJ6qLe7lOAH+/b9J6AhFl2pQr+74UKHOV+Qw26q+7OaKrMY mfMsyxGIB6g= =6JE4 -----END PGP SIGNATURE-----