To:
Edward Lewis <lewis@tislabs.com>
Cc:
dnssec@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
04 Sep 2001 21:07:58 -0400
In-Reply-To:
Edward Lewis's message of "Tue, 4 Sep 2001 20:50:02 -0400"
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
Edward Lewis <lewis@tislabs.com> writes:
> I think the following passage is why I and others feel that the CERT is for
> publishing products of the Security Mafia:
Note that SSH is also a product of the Security Mafia, and SSH does
not use "Certificates" per se. But I agree that CERT should still
be used for SSH keys
> #6. Security Considerations
> #
> # By definition, certificates contain their own authenticating
> # signature. Thus it is reasonable to store certificates in non-secure
> # DNS zones or to retrieve certificates from DNS with DNS security
> # checking not implemented or deferred for efficiency.
And again, you skip the very next paragraph, which reads:
Alternatively, if certificates are retrieved from a secure DNS zone
with DNS security checking enabled and are verified by DNS security,
the key within the retrieved certificate MAY be trusted without
verifying the certificate chain if this conforms with the user's
security policy.
> If we pursue this, we should revise 2538 to change section 6.
I definitely agree that section 6 of RFC 2538 needs to be re-worded.
Indeed, I think a number of sections in 2538 need to be re-worded to
more clearly explain that CERT records do not imply "Certificates".
Rather, CERT records imply "Application Keys" which in MANY cases are
"certificates" but are not so in all cases.
I believe it is this confusion (which resulted from poor wording
in 2538) that has caused much of our problem here.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available