To:
keydist@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 4 Apr 2002 11:20:05 -0500
In-Reply-To:
<3CAC790E.351D4128@baltimore.ie>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
At 11:02 AM -0500 4/4/02, Stephen Farrell wrote: > What problem is being solved by DNSsec-based distribution > of signed keys that is not equally easily solved by use of > certificates ? And why are certificates not an equally > good solution to that problem ? I think that this is a good (set of) central question(s). I don't have a ready answer to the question. I agree that the "lack of a PKI" isn't an answer, but I think that the lack is a symptom of the/an underlying problem. Earlier I felt that the reason why SSH (to pick on the topic locally studied for some time) was a good candidate for keys in DNS was that organizations run DNS and not CA's for their hosts. Why network administration has not picked up PKI as a core element is a good question and shouldn't be an excuse to settle for the path of least resistence[1]. [1] That being putting keys into DNS with the existing record types - unless you consider the resistence put up by some critics. ;) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Opinions expressed are property of my evil twin, not my employer.