To:
Eric Rescorla <ekr@rtfm.com>
cc:
Key Distribution <keydist@cafax.se>
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Wed, 12 Jun 2002 14:42:51 -0400
In-reply-to:
Your message of "Wed, 12 Jun 2002 10:37:46 PDT." <200206121737.g5CHbkW11308@romeo.rtfm.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes: >> >>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes: Eric> Nearly all of the major IETF security protocols (TLS, IPsec, Eric> OpenPGP) already have their own certificate discovery mechanism and Eric> therefore >> I guess I'm ignorant of them. >> >> Your email MTA, seems to be 198.144.203.251. I want to send you an >> IPsec secured ping, where do I look for your key? >> >> If email MTA supported STARTTLS, where would I look to get a copy of >> the certificate, other than inside the protocol? Eric> So, what you mean to say here is: "Aside from the place where I'm Eric> supposed to get certificates from, where am I supposed to get Eric> certificates from?" Yes, where am I supposed to get the certificates for the keys which signed the certifcate that you gave me in protocol? You can't be assuming that there will always be a single level of trust, and we will all use the same CA? Eric> no reason in either case for you go outside the protocol to get the Eric> key. In fact, in TLS it's impossible to do so because the server's Eric> certificate MUST be sent to the client as part of the handshake Eric> (aside from the anonymous DH cipher suites, that is...) >> OpenPGP? >> >> marajade-[~] mcr 1032 %finger ekr@rtfm.com finger: No address >> associated with hostname: rtfm.com Eric> What, you've never heard of key servers? Well, all the MUAs that I've used try finger first. The key servers are useful, true. But they are not examples of distributed systems. Try, for instance, to get control which ekr@rtfm.com key is returned at a given time, or in which order. You can't do that. You could do that if it was in your DNS server. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPQeWKoqHRg3pndX9AQHt8wQAhLd6fdcAknqnIfAImf/Z59Dizz3yjzLm ISaFyHgIqOkrCX3XUAAR3Q5VuWVrhLTwFDS5jtKZOPNDs0tFth90vo2fuskVC//B uPked5eln+PjM/lX6T/B5YWJPWeb3EKeUOc4S/JKCQpMru6R9WvvEpRVAnMhKS1X QIlcynXRlKk= =TTHU -----END PGP SIGNATURE-----