Re: Let's assume DNS is involved

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "RJ" == RJ Atkinson <rja@extremenetworks.com> writes:
    RJ> premise during the BOF.  Someone needs to clearly and crisply
    RJ> answer the question below (to the satisfaction of most folks,
    RJ> not necessarily everyone) before working on the mechanical
    RJ> details of how DNSsec-based key distribution should work:

    RJ> 	What problem is being solved by DNSsec-based distribution
    RJ> 	of signed keys that is not equally easily solved by use of
    RJ> 	certificates ?  And why are certificates not an equally
    RJ> 	good solution to that problem ?

a) There is no certification authority which signs keys for where the name
   is an IP address. 

  Meanwhile, the delegation of the authority of the reverse maps represents
an actualy delegation of authority to say which key is which. 

b) we are already dependant upon the DNS to provide name->IP mapping, and
   that has to be strongly linked (at the SAME TIME) to the keys to be used
   for the actual communication.

  So, a way to ask your question a different way is:

  "How come we do not map names -> IP addresses using LDAP from a Verisign/Thawte
   hosted LDAP server?"

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPKT5g4qHRg3pndX9AQHuSAP/eciL4e0CnX5gwWk6LT4xE0qIA6JAOCyd
3qQSQCPNBwEfd3fBp9tfM1ToBCQV1mGlqfN1TEcLhkVUO5hJrDm6hTUPuH34HHB+
c2UVi1YydWNIcd9GCJJ6qLe7lOAH+/b9J6AhFl2pQr+74UKHOV+Qw26q+7OaKrMY
mfMsyxGIB6g=
=6JE4
-----END PGP SIGNATURE-----