To:
<dnssec@cafax.se>
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Tue, 4 Sep 2001 15:54:21 -0400
In-Reply-To:
<ilu7kvezr3l.fsf@barbar.josefsson.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
At 3:35 PM -0400 9/4/01, Simon Josefsson wrote: > >It is already possible to put a public key that is not signed by a CA >in a CERT record. Let's use it. > >(Ok, if SSH wants a certificate type number in CERT of its own, they >need to register one. But the same holds for KEY.) Why force SSH to use a certificate? There are two things a client needs to make a secure connection - the IP address and server host key. The IP address is coming out of DNS, so implicitly there is trust in the DNS admin to enter the right data. Why is the server host key any different? What are the "requirements" motivating the use of a certificate structure instead of a raw public key? Why do the extra processing needed to get the server host key into a certificate, ship a certificate, and then parse and extract the key from the certificate in the client? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.