KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Eric Rescorla <ekr@rtfm.com>
Cc: David Conrad <david.conrad@nominum.com>, Key Distribution <keydist@cafax.se>
From: Derek Atkins <derek@ihtfp.com>
Date: 12 Jun 2002 14:35:03 -0400
In-Reply-To: <200206121658.g5CGwIW11251@romeo.rtfm.com>
Sender: owner-keydist@cafax.se
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject: Re: Global PKI on DNS?

Eric Rescorla <ekr@rtfm.com> writes:

> Let's take a step back here: The message I was responding to was just
> suggesting shoving X.509 certs into the DNS. I don't think that's of
> much value. This is a different question from whether some parallel
> DNS-based PKI would be of value.

The value is the ability to use the existing infrastructure where:
        a) the naming is the same (domain names)
        b) the "delegations" are the same (domain names)
        c) you need this out-of-band certificate lookup capability.

There are multiple issues going on here.  One issue is using DNS
_purely_ as a certificate lookup/distribution technology, where
applications verify the certificate themselves.  When the certificate
is naming domain-name-like entities, it would seem that re-using the
existing distributed database based on the same names would be a major
win.

The second issue is using the DNS (with DNSSEC) as a PKI.  I know some
peole (Keith) have major problems with that issue, so let's separate
them out.

> All of the interactive protocols have their own mechanisms. AS I said,
> the screw cases are the store and forward encryption protocols,
> i.e. S/MIME and PGP. PGP at least has it's own certificate
> distribution mechanism (in fact, more than one).

PGP doesn't define one, last I checked.  There are the ad-hoc 'graff'
and 'hkp' protocols, but they are ad-hoc.

> I don't have any basic objection to using DNS as a certificate
> distribution system for S/MIME

Good, so maybe we can move forward.

> , but I also don't think it's that
> important or valuable. People can't even be bothered to get
> certificates now, let alone arrange for their admin to cram them
> in the DNS.

Well, others seem to feel that this is either important or valuable.
Since you don't have any objection to the concept, then perhaps we can
still move forward.  Just because you don't see the value does not
imply that there is no value ;)

> -Ekr

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: Global PKI on DNS?
  - From: Eric Rescorla <ekr@rtfm.com>

References:
- Re: Global PKI on DNS?
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: Global PKI on DNS?
Next by Date: Re: Global PKI on DNS?
Prev by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Home | Date list | Subject list