To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Sun, 07 Apr 2002 13:18:41 -0400
In-reply-to:
Your message of "Sat, 06 Apr 2002 17:47:48 +0200." <ilulmc0kevv.fsf@josefsson.org>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Simon" == Simon Josefsson <simon+keydist@josefsson.org> writes: Simon> As Greg and I seem to agree that putting keys (or key fingerprints) in Simon> DNS is useful, my answers below are mostly directed to those who are Simon> still skeptical, and justify their standpoint using one of the Simon> arguments discussed here. Thank you for the comments Simon, I agree strongly with them all. Simon> This can be solved by configuring campus A's DNSSEC key in campus B's Simon> resolver. >> * Users often assume that DNS names are what they sound like. Is >> bankofamerica.com owned by the Bank of America? Probably, but Verisign >> doesn't promise anything of the sort. Encouraging users to put more >> trust in DNS names could lead to greater potential for abuse. Simon> This might be a problem. No, it is not. if I type "ssh bankofamerica.com" in, then I that is what I meant. I get the assurance that the RSA key that I find in DNS is indeed the the RSA key for "bankofamerica.com" and the A record that I get is in fact the IP address of bankofamerica.com. If DNSSEC is good enough to assure me that the A record is correct, then it is good enough to tell me that the KEY record is correct. The problem you refer to - that names do not necessarily translate well from meat space to cypherspace is a well documented problem of public key infrastructures. It is out of scope: It just doesn't matter how you got the key or certificate or who signed it. Unless you have assigned *AUTHORITY* for translation of meat-space to cypherspace to that signer, you lose. Go read the SPKI archives and documents for more views on this. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPLB/boqHRg3pndX9AQG0ogQAlQdxefuRLJqKxskCP1iJtvVOqxbGqe5q XHJlHhQcsjtmReM83cSoRqzfsXwgsLnAbFWWdRUePJhB5rDHy4Hajq0gcla9zi/M 8eBtwQXbFDsLe7CN9a9fEqhBHAjmtaJms5tApT6jVyeOCLyqZWyG6bRa6pl9gf8x 9QlTUhOaMBY= =BKIl -----END PGP SIGNATURE-----