To:
"Simon Josefsson" <simon+keydist@josefsson.org>
Cc:
<keydist@cafax.se>, "Edward Lewis" <lewis@tislabs.com>
From:
"James Seng" <jseng@pobox.org.sg>
Date:
Mon, 8 Apr 2002 08:29:27 +0800
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
> My understanding is that SSH does not use certificates. It uses raw > keys, which needs integrity protection. Depend what you mean "certificates". Raw keys with info of the owner and a signature of a trusted source (integrity protection) composed of a certificate. Therefore raw keys distributed over DNSSEC (keys + domain names + signed by parent) is a form of "certificate", altho not PKI certificate as we used to. Therefore, SSH requires "certificate" altho it only *use* raw keys, as do all other public-private keys applications. > No, storing the key in LDAP causes a bootstrapping problem that we > haven't solved. Assuming DNSSEC takes off, that bootstrapping problem > is solved for DNS. I think we have been over this point a few times.. There is no bootstrap problem for PKI certificate. You dont need a secure channel with more data integrity protection for PKI certificate distributed over LDAP. -James Seng