[dnssec-deployment] DKIM and DNSSEC -- a representative added value from DNSSEC

Fri Feb 10 10:49:03 EST 2006

On Fri, Feb 10, 2006 at 09:47:12AM -0500, Stuart E. Schechter wrote:
> > On Thu, Feb 09, 2006 at 06:37:40PM -0500, Thierry Moreau wrote:
> >> Perhaps a significant DNSSEC benefit lies in this contemplated
> >> use of DNSSEC for the authenticated distribution of public keys
> >> for other security schemes.
> > 
> > Peter Koch <pk at DENIC.DE> then wrote
> > as much as i like the idea of RFC 4255 and others, I fear that this is
> > one geek technology supported by another one. How many users do really
> > understand to check the fingerprint upfront?
> 
>    Very few.  Isn't this why one would want to implement 4255 and configure
> your SSH client never to accept fingerprints that couldn't be verified
> through DNS with DNSSEC?  This would be easy to do within an organization.
>    
> > The DNSSEC signatures over SSHFPs or IPSECKEYs or others are no certificates.
> > They are helpful in that they provide for the usual data origin
> > authentication, but no more.
> 
>    I don't see the difference.  Certificates indicate that the public key
> data originated from the owner of a domain name.  It's functionally the same
> thing.

	your asserting that the domain name holder is functionally identical
	to the sysadmin of a machine.  emperically we know this is not the 
	case. in the case of MIT, what assurances do i have that you have
	given Jeff your computers ssh keys to put into the DNS?

--bill

> 
> 
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>