KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Richard Shockey <rshockey@ix.netcom.com>
Cc: Greg Hudson <ghudson@MIT.EDU>, keydist@cafax.se, smb@research.att.com, jis@MIT.EDU
From: Derek Atkins <derek@ihtfp.com>
Date: 03 Oct 2002 23:14:52 -0400
In-Reply-To: <5.1.0.14.2.20021003220917.01f9a5e8@popd.ix.netcom.com>
Sender: owner-keydist@cafax.se
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject: Re: I intend to have a document ready for Atlanta on this subject.

Richard Shockey <rshockey@ix.netcom.com> writes:

> I accept and support the notion that the line has been drawn in the
> DNS with application specific PKI and its time to solve the problem
> associated with it.

Except no such line has been drawn.  Some people would like to draw
it, but there is certainly no concensus that such a line exists.
There are certainly cases for which storing application keys directly
in the DNS is absolutely the right solution.  On the other hand,
nothing says that it has to be the only solution.

> >Given the distributed nature of DNS, it is not at all clear that there
> >is a "large burden" problem.  Only zones which deign to serve key
> >records would suffer the burden of distributing them.
> >
> >And based on the discussion I've seen, I don't think "most observers"
> >hold the opinion you say that do.
>
> I'm not so sure ..but revisiting the discussion is useful .. the
> problem statement still exists and it is useful and productive work
> for the IETF to resolve.

Well, application keys certainly are "never" going to be stored or
delivered by the root servers or gtld servers.  The keys live out at
the leaves.  Assuming a key-in-DNS solution, by the time you're at the
leaf requesting a key, you've already passed though the high-load
servers to get the A record.  Getting the key is "easy", and only
requires a request to the leaf server.

> Again I still submit that pointers are more useful more flexible and
> that the burden is therefore distributed and not placed on the DNS
> servers which has enough to do as it is. Again I support the ongoing
> admonitions about further burdening the DNS. I belive that a strict
> separation between infrastructure uses of PKI and applications is
> necessary and required.

I would argue that pointers add unnecessary indirection and extra
round trips.  Indirection is not always a good thing.  In fact, when
security is concerned, the fewer indirections the better: fewer things
for the protocol designer or implementor to get wrong or forget to
check.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: I intend to have a document ready for Atlanta on this subject.
  - From: Richard Shockey <rich.shockey@NeuStar.com>
- Re: I intend to have a document ready for Atlanta on this subject.
  - From: Randy Bush <randy@psg.com>

References:
- I intend to have a document ready for Atlanta on this subject.
  - From: Richard Shockey <rshockey@ix.netcom.com>
- Re: I intend to have a document ready for Atlanta on this subject.
  - From: Richard Shockey <rshockey@ix.netcom.com>

Prev by Date: Re: I intend to have a document ready for Atlanta on this subject.
Next by Date: Re: I intend to have a document ready for Atlanta on this subject.
Prev by thread: Re: I intend to have a document ready for Atlanta on this subject.
Next by thread: Re: I intend to have a document ready for Atlanta on this subject.
Index(es):
- Date
- Thread

Home | Date list | Subject list