[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of DNS to distribute keys




Again, please note that the "he" in Rob Shirey's note is NOT me. :-)

I would propose that we consider distributing key certificates for host
computers using the normal DNS without adding any special mechanisms 
to the DNS other than maybe a new resource record.  In my discussions, 
I place trust in the cryptographic mechanisms behind the key certificates 
and not in the network or the end computer systems or the DNS servers.

Someone has pointed out a potential problem with size of a key certificate
being possibly larger than the DNS is currently setup to handle.  This
potential problem should be explored further with the DNS experts.

I'd also like to note that my discussion has been deliberately limited
to key certificates for hosts, not for persons.  The key certificates
for people is properly handled using the PEM approach.  The value in
host key certificates is for the case where one deploys some kind of
IP Security Protocol (e.g. SP3) or some kind of IP authentication mechanism.

Regards,

  Ran
  atkinson@itd.nrl.navy.mil