[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of DNS to distribute keys

To: Charles B Cranston <zben@ni.umd.edu>
Subject: Re: Use of DNS to distribute keys
From: Steve Kent <kent@BBN.COM>
Date: Thu, 09 Sep 93 16:05:23 -0400
Cc: ipsec@ans.net, namedroppers@nic.ddn.mil
In-Reply-To: Your message of Thu, 09 Sep 93 15:21:16 -0500. <Mailstrom.1.02b2.64108.-3114.zben@ni.umd.edu>

Charles,

	There are several issues associated with certificate storage
and retrieval.  For realtime protocols, it is reasonable to assume
that the target of a connection request is available and getting the
target's certificate from the target seems reasonable.  You may really
need more than just the target's certificate, e.g., a full
certification path to the target and CRLs for each CA along that path.
Still, all of this could be storged by the target and provided to any
requestor.  

	However, for a protocol such as email, the sender's machine
and the recipients' machines need not all be avilable at the same
time, and this model is not quite so attractive.  Also, because email
is typically multicast (at the application level), having to retrieve
certification paths and CRLs from all the recipient's hosts may be
quite burdensome.  So, in that circumstance, having a set of
repositories, e.g., directories, for this data is more attractive.
Moreover, if you had to connect to a directory for name->address
mapping anyway, getting the certificate information at the same time
seems fairly efficient.

	Finally, there is the question of how you search for the
requisite certificate data.  The DNS, as a directory system, is very
restrictive and it requires you to know the precise name of the target
of your request.  This is adequate for its role in simple name/address
mapping for computers, but only because people perform the harder task
of mapping real world attributes into DNS names by external means.
For an email system, where the targets are people, not machines, we
use additional directory services like whois.  One could argue that
the right place to store certificates for email users in in their
whois entries.  Unfortunately the whois systems is not so
comprehensive, so well distributed, or so well maintained as the DNS.

	I believe the question that precipitated this discussion came
from someone who posed it in the context of certificates for machines,
not for people, in which case DNS names are reasonable search indices
and the DNS would be an ideal repository, except for the size
limitation on UDP transactions cited earlier.

Steve

Follow-Ups:

Re: Use of DNS to distribute keys

From: tardo@tardo.lkg.dec.com

References:

Re: Use of DNS to distribute keys

From: Charles B Cranston <zben@ni.umd.edu>

Prev by Date: retry
Next by Date: Re: Use of DNS to distribute keys
Prev by thread: Re: Use of DNS to distribute keys
Next by thread: Re: Use of DNS to distribute keys
Index(es):
- Main
- Thread