[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of DNS to distribute keys

To: zben@ni.umd.edu (Charles B Cranston)
Subject: Re: Use of DNS to distribute keys
From: Masataka Ohta <mohta@necom830.cc.titech.ac.jp>
Date: Sat, 11 Sep 93 22:53:16 JST
Cc: kent@BBN.COM, ipsec@ans.net, namedroppers@nic.ddn.mil
In-Reply-To: <Mailstrom.1.02b2.16889.-3114.zben@ni.umd.edu>; from "Charles B Cranston" at Sep 10, 93 2:38 pm

> As pointed out earlier, the DNS UDP size limitation and the
> largeish and growing size of modern certificates probably make
> it unrealistic to support DNS-based certificate distribution,
> at least with current implementations.

Though a single 1024 bit entity will fit in a UDP packet, use TCP with
current DNS implementations, if it will be much larger. TCP is not so
heavy compared to the modern complex certificate. It's only as heavy as
TCP SMTP connection.

> Perhaps throwing in email has been a complicating factor,
> not only because of the MX driven store-and-forward stuff, but
> because now we are authenticating people rather than net hosts.

Authentication of mail receiving people will be done by each mail
server host if hosts are authenticated.

> It has been obvious for some time that the Internet canonical
> "user@host.domain" paradigm for person-identification is
> breaking down.  This scheme made a great deal of sense when
> there were a few dozen well-known large mainframes with many
> users on each, but it gets strained when we move to personal
> machines where the "host.domain" part identifies the owner as
> well as the machine and if "user" is used at all it is used to
> identify functional entities within that personal machine.

So, the public key of the "user@host.domain" for mail will be asked to
the MX pointee of "host.domain" outside of SMTP or during the SMTP
connection.

> As a consequence we have "kluged" it by making the "host.domain"
> part of email addresses specify an entire community of users
> (like BBN.COM) and we use the MX mechanism to store-and-forward
> the mail to the appropriate workstation or repository.

By asking the public key of the user only to the host of least MX
preference value, or only to hosts with MX preference values of
less than, say, 100 or by having a new RR type to point to authentication
host, the store-and-forward will still work.

> "user@host.domain"
> might not be the best email addressing
> paradigm for the current network environment.

I disagree.

> We might need to generalize the identifier problem to the
> idea of a Network Visible Entity (NVE) and then define new
> protocols in order to extract things like email routing
> information from them.  If we do this, obtaining any needed
> email certificates would more correctly be a function of
> these new protocols than patching it into a database keyed
> on host name like the DNS.

Wrong. The key of DNS is a domain name not necessarily a host name.
It is MX which points to the mail server hosts for the domain name.

						Masataka Ohta

References:

Re: Use of DNS to distribute keys

From: Charles B Cranston <zben@ni.umd.edu>

Prev by Date: Re: Use of DNS to distribute keys
Next by Date: Re: Use of DNS to distribute keys
Prev by thread: Re: Use of DNS to distribute keys
Next by thread: retry
Index(es):
- Main
- Thread