KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Eric Rescorla <ekr@rtfm.com>
cc: Key Distribution <keydist@cafax.se>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 12 Jun 2002 14:42:51 -0400
In-reply-to: Your message of "Wed, 12 Jun 2002 10:37:46 PDT." <200206121737.g5CHbkW11308@romeo.rtfm.com>
Sender: owner-keydist@cafax.se
Subject: Re: Global PKI on DNS?

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes:
    >> >>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes:
    Eric> Nearly all of the major IETF security protocols (TLS, IPsec,
    Eric> OpenPGP) already have their own certificate discovery mechanism and
    Eric> therefore
    >> I guess I'm ignorant of them.
    >> 
    >> Your email MTA, seems to be 198.144.203.251. I want to send you an
    >> IPsec secured ping, where do I look for your key?
    >> 
    >> If email MTA supported STARTTLS, where would I look to get a copy of
    >> the certificate, other than inside the protocol?

    Eric> So, what you mean to say here is: "Aside from the place where I'm
    Eric> supposed to get certificates from, where am I supposed to get
    Eric> certificates from?"

  Yes, where am I supposed to get the certificates for the keys which signed
the certifcate that you gave me in protocol?  You can't be assuming that
there will always be a single level of trust, and we will all use the same CA?

    Eric> no reason in either case for you go outside the protocol to get the
    Eric> key. In fact, in TLS it's impossible to do so because the server's
    Eric> certificate MUST be sent to the client as part of the handshake
    Eric> (aside from the anonymous DH cipher suites, that is...)

    >> OpenPGP?
    >> 
    >> marajade-[~] mcr 1032 %finger ekr@rtfm.com finger: No address
    >> associated with hostname: rtfm.com

    Eric> What, you've never heard of key servers?

  Well, all the MUAs that I've used try finger first.
  The key servers are useful, true. But they are not examples of distributed
systems. Try, for instance, to get control which ekr@rtfm.com key is returned
at a given time, or in which order. You can't do that. You could do that if
it was in your DNS server.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPQeWKoqHRg3pndX9AQHt8wQAhLd6fdcAknqnIfAImf/Z59Dizz3yjzLm
ISaFyHgIqOkrCX3XUAAR3Q5VuWVrhLTwFDS5jtKZOPNDs0tFth90vo2fuskVC//B
uPked5eln+PjM/lX6T/B5YWJPWeb3EKeUOc4S/JKCQpMru6R9WvvEpRVAnMhKS1X
QIlcynXRlKk=
=TTHU
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Global PKI on DNS?
  - From: Eric Rescorla <ekr@rtfm.com>

References:
- Re: Global PKI on DNS?
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: Global PKI on DNS?
Next by Date: Re: Global PKI on DNS?
Prev by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Home | Date list | Subject list