[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of DNS to distribute keys




Rob,

  Before you choke on your morning coffee, the quote you cite is NOT from
me.  I want to use Key Certificates rather than raw keys and I see a number
of infrastructure/deployment problems with building trust mechanisms into
each and every DNS server.  From my very first note *I* have been talking
about key certificates.  I believe the quote you cite is from Ohta-san.

  Rest confident that I am VERY worried about assurance in information
systems.  I work in the Center for High Assurance Computing Systems at
NRL and we at NRL are basically sceptics about anything less than B3 kinds
of assurance in trusted systems.  Our running comment when vendors visit
us is "it might be trusted but is it really TRUSTWORTHY ?".

  I have pondered the deployment of authentication into an internet
in some previous research.  I do see the approach Ohta-san advocates as
one that is interesting.  Based on my research and some experimentation,
I have concluded that key certificates are the only way to get reasonable
kinds of assurance and to make widespread deployment practical.

  In particular, I would like to try to reuse the key certificate 
infrastructure being developed and deployed for PEM if at all possible.

Ran
atkinson@itd.nrl.navy.mil