To:
<keydist@cafax.se>, "Edward Lewis" <lewis@tislabs.com>
From:
"James Seng" <jseng@pobox.org.sg>
Date:
Sat, 6 Apr 2002 09:11:41 +0800
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
Continue the line of SSH, there are two side to this argument. The proponent argues that DNSSEC provides more effeciency for SSH and solve the problem of bootstrapping. The keys comes from the same source who provides the IP address. SSL session can be established with signed information from DNSSEC, without prior out-of-band exchange of keys. The opponent argues that we should not loading more stuff into the DNS, especially other existing technology can provide the same thing. LDAP servers can serves certificate as well as DNSSEC. Bootstrapping is not a problem since secure channel is not needed for certificate exchange. Locating the appropriate LDAP server is an undefined problem but that does not involved loading keys into the DNS. Assuming I havent missed out anything, then all been equal, the question is whether the additional efficiency of using DNSSEC over LDAP is worth the effort/risk to load keys into the DNS. ps: something to think abt: what is the "problem" to add more stuff into DNS? -James Seng > At 11:02 AM -0500 4/4/02, Stephen Farrell wrote: > > What problem is being solved by DNSsec-based distribution > > of signed keys that is not equally easily solved by use of > > certificates ? And why are certificates not an equally > > good solution to that problem ? > > I think that this is a good (set of) central question(s). I don't have a > ready answer to the question. I agree that the "lack of a PKI" isn't an > answer, but I think that the lack is a symptom of the/an underlying problem. > > Earlier I felt that the reason why SSH (to pick on the topic locally > studied for some time) was a good candidate for keys in DNS was that > organizations run DNS and not CA's for their hosts. Why network > administration has not picked up PKI as a core element is a good question > and shouldn't be an excuse to settle for the path of least resistence[1]. > > [1] That being putting keys into DNS with the existing record types - > unless you consider the resistence put up by some critics. ;) > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis NAI Labs > Phone: +1 443-259-2352 Email: lewis@tislabs.com > > Opinions expressed are property of my evil twin, not my employer. > > >