Re: Let's assume DNS is involved

[Derek Atkins <warlord@MIT.EDU>]

Stephen Farrell <stephen.farrell@baltimore.ie> writes:

> > I think the original intent was to say that there is no existing
> > CA which is definitively authoritative for names where the name
> > is an IP address.  
> 
> As I said that's true, but the question asked was:
> 
>         What problem is being solved by DNSsec-based distribution
>         of signed keys that is not equally easily solved by use of
>         certificates ?  And why are certificates not an equally
>         good solution to that problem ?
> 
> In all cases whatever scheme is agreed then has to be deployed,
> so the lack of the deployment of a particular variety of X.509 
> based PKI doesn't provide an answer.

I'm an IPsec stack and I want to setup an opportunistically encrypted
channel between myself and this random host 1.2.3.4 which some user
needs to contact.  The goal is to "encrypt as best as possible".

I could perform an ephemeral diffie hellman which will get me
encryption, but is subject to man-in-the-middle attacks.  If I could
leverage off a DNSSEC key, then I could reduce the threat of this
MitM.

Could I use certificates for this?  Sure, if there were an authority
for IP Address Certificates.  There is already an authority for IP
Address lookups in DNS, so why not leverage it?

The point is that this is not a panacea solution.  It is not a
solution for all applications, either.  It is, however, a solution
that solves a real problem for a small subset of all possible
applications, and solves this real problem with very little additional
overhead or operational complexity.

> Stephen.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available