Re: Let's assume DNS is involved

[Edward Lewis <lewis@tislabs.com>]

At 11:02 AM -0500 4/4/02, Stephen Farrell wrote:
>        What problem is being solved by DNSsec-based distribution
>        of signed keys that is not equally easily solved by use of
>        certificates ?  And why are certificates not an equally
>        good solution to that problem ?

I think that this is a good (set of) central question(s).  I don't have a
ready answer to the question.  I agree that the "lack of a PKI" isn't an
answer, but I think that the lack is a symptom of the/an underlying problem.

Earlier I felt that the reason why SSH (to pick on the topic locally
studied for some time) was a good candidate for keys in DNS was that
organizations run DNS and not CA's for their hosts.  Why network
administration has not picked up PKI as a core element is a good question
and shouldn't be an excuse to settle for the path of least resistence[1].

[1] That being putting keys into DNS with the existing record types -
unless you consider the resistence put up by some critics. ;)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

Opinions expressed are property of my evil twin, not my employer.