[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of DNS to distribute keys



Ran,

You will be facing two problems with the approach that you suggest:

1) If you want to attach a public key to a domain name, you will have to prove
the authority of the certifier on the domain. The classic counter example is
when you receive a certificate signed by "Al Capone, General trades, Chicago,
US" for the domain "lcs.mit.edu". What is needed is what I called "the glue".
There sure are solutions, but you will have to spell them out..

2) The host identifier is not necessarily the "correct" thing to use, even for
a firewall. I may want to grant access to our local network to "Christian
Huitema, INRIA, FR", regardless of where his powerbook happens to be plugged.
It would thus be better to assume that a "classic" certificate is used for
establishing the IPSEC level "association context" and the associated key
exchanges; using a domain name instead of a distinguished name should just be
a special case.

Christian Huitema
PS.
Regarding ASN.1 encodings, etc: once you start dealing with 1024 bits wide
exponentiations, T-L-V tagging is pretty much in the noise, so not really
worth discussing...


References: