Re: Let's assume DNS is involved

["James Seng" <jseng@pobox.org.sg>]

> My understanding is that SSH does not use certificates.  It uses raw
> keys, which needs integrity protection.

Depend what you mean "certificates".

Raw keys with info of the owner and a signature of a trusted source
(integrity protection) composed of a certificate. Therefore raw keys
distributed over DNSSEC (keys + domain names + signed by parent) is a form
of "certificate", altho not PKI certificate as we used to.

Therefore, SSH requires "certificate" altho it only *use* raw keys, as do
all other public-private keys applications.

> No, storing the key in LDAP causes a bootstrapping problem that we
> haven't solved.  Assuming DNSSEC takes off, that bootstrapping problem
> is solved for DNS.  I think we have been over this point a few times..

There is no bootstrap problem for PKI certificate. You dont need a secure
channel with more data integrity protection for PKI certificate distributed
over LDAP.

-James Seng