To:
dnssec@cafax.se
From:
Dan Massey <masseyd@isi.edu>
Date:
Tue, 4 Sep 2001 09:57:57 -0400
Content-Disposition:
inline
In-Reply-To:
<v0313030fb7b5b3859e0d@[208.58.208.168]>; from lewis@tislabs.com on Fri, Aug 31, 2001 at 05:45:25PM -0400
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
Re: CERTificates and public keys
On Friday, August 31, 2001 at 05:45PM, Ed Lewis wrote:
| First, this thread got a bit larger than it needed - there is (should be)
| little debate about the relative flexibility of public key structures and
| certificate structures (obviously because a public key is an important
| ingrediant of a certificate). There is also no reason to argue that DNS
| (with or without DNSSEC) is in any way a PKI.
|
| The original question was whether or not certificates made sense in
| applications - and the one Wes and I had in mind was SSH (as a starter).
| SSH has no current certificate processing code in it - that can be easily
| overcome. What is problematic is the lack of a PKI to produce certificates
| for SSH - and the lack of a defined means of chaining trust through "SSH"
| certificates.
|
I think the original question was whether the an SSH key should be stored in
the DNS as a CERT or KEY record. My answer to this is that application keys
belong in the CERT record.
I don't think anyone was suggesting that you define a seperate SSH PKI or a
means of chaining through SSH certificates. In fact, I would argue for the
opposite. Any SSH PKI is clearly outside the scope of DNSSEC and the resolver
should not be involved in certificate chaining in any way.
You just want to make sure that:
1. you store the keys in the way that makes the most sense for the resolver.
CERT record in my opinion. you don't gain any security by using a
KEY and the drawback is that the KEY record ends up holding both
application and infrastructure data.
2. you don't prevent other people from building an SSH PKI
if an SSH certificate or PKI is created, would the SSH key then be
stored in both a CERT and a KEY??
| My sense of this thread is that the debate of "public key versus
| certificate" is one that cannot be generalized. The issue is an
| application-by-application problem. I guess a future mental exercise is to
| design a "PKI" (and I don't mean reimplement OpenSSL) infrastructure for
| SSH. (This would be off-topic for this list.)
|
Perhaps instead of asking to reserve type 22 from the KEY record, why not
reserve type 4 of the CERT record and use this for "Generic Public Key".
You could then store your ssh key in this record.
Dan