KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: <keydist@cafax.se>, "Edward Lewis" <lewis@tislabs.com>
From: "James Seng" <jseng@pobox.org.sg>
Date: Sat, 6 Apr 2002 09:11:41 +0800
Sender: owner-keydist@cafax.se
Subject: Re: Let's assume DNS is involved

Continue the line of SSH, there are two side to this argument.

The proponent argues that DNSSEC provides more effeciency for SSH and solve
the problem of bootstrapping. The keys comes from the same source who
provides the IP address. SSL session can be established with signed
information from DNSSEC, without prior out-of-band exchange of keys.

The opponent argues that we should not loading more stuff into the DNS,
especially other existing technology can provide the same thing. LDAP
servers can serves certificate as well as DNSSEC. Bootstrapping is not a
problem since secure channel is not needed for certificate exchange.
Locating the appropriate LDAP server is an undefined problem but that does
not involved loading keys into the DNS.

Assuming I havent missed out anything, then all been equal, the question is
whether the additional efficiency of using DNSSEC over LDAP is worth the
effort/risk to load keys into the DNS.

ps: something to think abt: what is the "problem" to add more stuff into
DNS?

-James Seng

> At 11:02 AM -0500 4/4/02, Stephen Farrell wrote:
> >        What problem is being solved by DNSsec-based distribution
> >        of signed keys that is not equally easily solved by use of
> >        certificates ?  And why are certificates not an equally
> >        good solution to that problem ?
>
> I think that this is a good (set of) central question(s).  I don't have a
> ready answer to the question.  I agree that the "lack of a PKI" isn't an
> answer, but I think that the lack is a symptom of the/an underlying
problem.
>
> Earlier I felt that the reason why SSH (to pick on the topic locally
> studied for some time) was a good candidate for keys in DNS was that
> organizations run DNS and not CA's for their hosts.  Why network
> administration has not picked up PKI as a core element is a good question
> and shouldn't be an excuse to settle for the path of least resistence[1].
>
> [1] That being putting keys into DNS with the existing record types -
> unless you consider the resistence put up by some critics. ;)
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis                                                NAI Labs
> Phone: +1 443-259-2352                      Email: lewis@tislabs.com
>
> Opinions expressed are property of my evil twin, not my employer.
>
>
>

Follow-Ups:
- Re: Let's assume DNS is involved
  - From: Mats Dufberg <dufberg@telia.net>
- Re: Let's assume DNS is involved
  - From: Greg Hudson <ghudson@MIT.EDU>
- Re: Let's assume DNS is involved
  - From: Simon Josefsson <simon+keydist@josefsson.org>

References:
- Re: Let's assume DNS is involved
  - From: RJ Atkinson <rja@extremenetworks.com>
- Re: Let's assume DNS is involved
  - From: Edward Lewis <lewis@tislabs.com>

Prev by Date: Re: Let's assume DNS is involved
Next by Date: Re: Let's assume DNS is involved
Prev by thread: Re: Let's assume DNS is involved
Next by thread: Re: Let's assume DNS is involved
Index(es):
- Date
- Thread

Home | Date list | Subject list