To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Sun, 07 Apr 2002 13:18:41 -0400
In-reply-to:
Your message of "Sat, 06 Apr 2002 17:47:48 +0200." <ilulmc0kevv.fsf@josefsson.org>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Simon" == Simon Josefsson <simon+keydist@josefsson.org> writes:
Simon> As Greg and I seem to agree that putting keys (or key fingerprints) in
Simon> DNS is useful, my answers below are mostly directed to those who are
Simon> still skeptical, and justify their standpoint using one of the
Simon> arguments discussed here.
Thank you for the comments Simon, I agree strongly with them all.
Simon> This can be solved by configuring campus A's DNSSEC key in campus B's
Simon> resolver.
>> * Users often assume that DNS names are what they sound like. Is
>> bankofamerica.com owned by the Bank of America? Probably, but Verisign
>> doesn't promise anything of the sort. Encouraging users to put more
>> trust in DNS names could lead to greater potential for abuse.
Simon> This might be a problem.
No, it is not.
if I type "ssh bankofamerica.com" in, then I that is what I meant. I get
the assurance that the RSA key that I find in DNS is indeed the the RSA key
for "bankofamerica.com" and the A record that I get is in fact the IP address
of bankofamerica.com. If DNSSEC is good enough to assure me that the A record
is correct, then it is good enough to tell me that the KEY record is correct.
The problem you refer to - that names do not necessarily translate well
from meat space to cypherspace is a well documented problem of public key
infrastructures. It is out of scope:
It just doesn't matter how you got the key or certificate or who signed
it. Unless you have assigned *AUTHORITY* for translation of meat-space to
cypherspace to that signer, you lose. Go read the SPKI archives and documents
for more views on this.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPLB/boqHRg3pndX9AQG0ogQAlQdxefuRLJqKxskCP1iJtvVOqxbGqe5q
XHJlHhQcsjtmReM83cSoRqzfsXwgsLnAbFWWdRUePJhB5rDHy4Hajq0gcla9zi/M
8eBtwQXbFDsLe7CN9a9fEqhBHAjmtaJms5tApT6jVyeOCLyqZWyG6bRa6pl9gf8x
9QlTUhOaMBY=
=BKIl
-----END PGP SIGNATURE-----