To:
John Stracke <jstracke@incentivesystems.com>
Cc:
Key Distribution <keydist@cafax.se>
From:
Greg Hudson <ghudson@MIT.EDU>
Date:
13 Jun 2002 15:22:43 -0400
In-Reply-To:
<OF4A931F67.FFE1C8BB-ON85256BD7.004D98DC@incentivesystems.com>
Sender:
owner-keydist@cafax.se
Subject:
RE: Global PKI on DNS?
(CC list pruned to keydist.) On Thu, 2002-06-13 at 10:08, John Stracke wrote: > >The CERT extension to DNS allows to place there a URI, a URI is smaller > than > >a cert and stays in a udp packet. > > Bootstrap problem: how can you trust the results of the URI? You're confusing two different things people want to do with DNS and public keys, I think. Some people just want to use DNS as a lookup service for certificates. You trust the certificates because they're signed by a CA, not because of DNSSEC. This might be a good idea (because DNS is an existing, replicated, mature, cached service) or it might be a bad idea (because DNS is an old protocol with limited transfer size and no congestion control, etc.). Some people want to use DNSSEC to protect application keys or to additionally protect certificates. You can do this by putting keys in DNS, or by putting key fingerprints in DNS and looking up the keys some other way, or a bunch of other variations. This might be a good idea (because it unifies naming and authentication, because it's simpler than X.509, etc.) or it might be a bad idea (because it encourages a single authentication root, because DNS administrators aren't smart enough to handle keys, etc.). The people you're responding to were probably only talking about the first goal. The appropriate class of argument is not "but then we can't trust the results of the URI, because it's not protected by DNSSEC" but "I want to use DNS instead of HTTP because I think it's a better service for that purpose." (Or "because it's simpler" or whatever. I'm not trying to argue for one side or the other right now.)