[dnssec-deployment] DNSSEC and certificates.

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Tue Jan 25 01:17:04 EST 2005 

On Mon, Jan 24, 2005 at 09:33:57PM -0800, Sam Weiler wrote:
> On Fri, 21 Jan 2005 bmanning at vacation.karoshi.com wrote:
> 
> > > I say that putting (CA or self-signed) certificates into the DNS and 
> > > looking them up (using DNSSEC) for X.509 path validation when setting up 
> > > the TLS connection would give us a lot. I say it gives us better security 
> > > than what we usually do today. I say the CA people will hate the idea and 
> > > I understand them.
> > 
> > 	isn't this the jist of the OE work?  
> 
> Not really.  
> 
> It sounds like Jakob is talking about certs in the forward tree, where
> a domain name would be bound to a cert. 
> 
> OE (opportunistic encryption, FreeS/WAN) uses keying material stored
> in the reverse tree to bind an IP address to a key.  In OE, there's
> nothing to guarantee that you're talking to the right host (assuming
> you know the host by it's domain name, which is a pretty valid
> assumption for most of the world).  If you can spoof forward-tree DNS,
> you can redirect a user of OE.
	
	er, to clarify what i said...  
	the process of "looking them up (using DNSSEC)" means, to 
	this bear of very little brain - VALIDATION - of the chain
	of custody/delegation.  and lo & behold - at the end of that validation
	step one finds an RRset which includes a CERT rr (or equivalant).
	Jakobs claim that a self-signed X.509 cert that could be stored in
	a CERT RR is better security than we have today... and I agree with
	him.  He is also correct that the CA posse will be uncomfortable
	with this idea... and I agree with him.  Of course one could
	put in x.509 certs that are signed through the PKI/CA tangle, which
	might be helpful/comforting to some, but the idea that there is yet
	another "check" on the data is a good one - 

	i said nothing about forward/reverse or assurance about which 
	label one might be looking at/for.  the -PROCESS- is the same.
	at least as I understand it.  if there is a fundamental difference,
	which youseem to assert ( with the "Not really") then you did not
	make it clear what that distinction was/is.  if i was unclear, then
	i am sorry for wasting your time.

> 
> -- Sam

--bill

More information about the Dnssec-deployment mailing list