Re: Use of DNS to distribute keys

[atkinson@itd.nrl.navy.mil (Ran Atkinson)]

Christian has a number of good points in his note.
I think that the certificates I'd most like to see would contain:

	1) a fully qualified domain name of a host, 
	2) the public key for that host, 
    and 3) an authenticating signature for the whole certificate.

	If the key certificates themselves are not in the DNS, it
still might be useful to have a record (analagous to the MX record)
which points to a host key certificate provider for a host or a
subdomain.  If not in the DNS, then I'd like for there to be some
fairly automated way that my machine could reliably obtain the public
key for the remote host so that I could use that remote public key for
session key establishment and such like.

	This key certificate acquisition should not require human
intervention.  If I send data to machine N, my networking code will
have to be able to make a call to get N's public key and then use some
(mutually agreed upon) key management protocol along with the
knowledge of N's public key and my public/private keys to setup a
session key between my machine and N.

	I hope that some future working group will devise an Internet
standard Key Management Protocol, possibly based on the SDNS Key Mgmt
Protocol but not necessarily that one.

Ran
atkinson@itd.nrl.navy.mil

---

Follow-Ups:

• Re: Use of DNS to distribute keys
• From: Christian Huitema <Christian.Huitema@sophia.inria.fr>

---

• Prev by Date: Re: Use of DNS to distribute keys
• Next by Date: Re: Use of DNS to distribute keys
• Prev by thread: Re: Use of DNS to distribute keys
• Next by thread: Re: Use of DNS to distribute keys
• Index(es):
  • Main
  • Thread