[dnssec-deployment] DNSSEC and certificates.
Sam Weiler
weiler+lists.dnssec-deploy at watson.org
Tue Jan 25 00:33:57 EST 2005
On Fri, 21 Jan 2005 bmanning at vacation.karoshi.com wrote:
> > I say that putting (CA or self-signed) certificates into the DNS and
> > looking them up (using DNSSEC) for X.509 path validation when setting up
> > the TLS connection would give us a lot. I say it gives us better security
> > than what we usually do today. I say the CA people will hate the idea and
> > I understand them.
>
> isn't this the jist of the OE work?
Not really.
It sounds like Jakob is talking about certs in the forward tree, where
a domain name would be bound to a cert.
OE (opportunistic encryption, FreeS/WAN) uses keying material stored
in the reverse tree to bind an IP address to a key. In OE, there's
nothing to guarantee that you're talking to the right host (assuming
you know the host by it's domain name, which is a pretty valid
assumption for most of the world). If you can spoof forward-tree DNS,
you can redirect a user of OE.
-- Sam
More information about the Dnssec-deployment
mailing list