[dnssec-deployment] DNSSEC and certificates.
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Thu Jan 20 19:14:11 EST 2005
> I say that putting (CA or self-signed) certificates into the DNS and
> looking them up (using DNSSEC) for X.509 path validation when setting up
> the TLS connection would give us a lot. I say it gives us better security
> than what we usually do today. I say the CA people will hate the idea and
> I understand them.
>
> and it is all documented in my old - now expired - draft. copies can be
> provided if people are interested.
>
>
> jakob
isn't this the jist of the OE work? and this was the core idea
of the TBDS project that was done for DARPA in 1998. in that case,
the DNS was a wild and open construct. One "discovered" various
bits of topology and mapped the nodes it found into the common
name-space. There was a bit of tricky logic for tie-breaking that
presumed CERT RRs were in the RRset for a delegation...
So you could "walk" a trust chain, insofar as it was visable,
and then you were presented with (perhaps) an X509 cert in a CERT
RR. the tricky bits were when you would get multiple answers for
"www.shinkuro.com" and the RRsets presented had different data.
(and no, you could not presume to walk the trust chain from the
root because the topology segmentation prevented you from reaching
any of your SEP anchors)...
nifty stuff.
--bill
More information about the Dnssec-deployment
mailing list