[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC for IPSEC?

To: John Gilmore <gnu@toad.com>
Subject: Re: DNSSEC for IPSEC?
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Thu, 25 Jul 1996 12:50:30 -0400
Cc: dennis.glatting@plaintalk.bellevue.wa.us, ipsec@TIS.COM
In-Reply-To: gnu's message of Thu, 25 Jul 1996 01:30:49 -0700. <199607250830.BAA22290@toad.com>
Sender: ipsec-approval@neptune.tis.com

With respect to validation policies, I think there's also need for
some more advanced policies, allowing for a domain-to-domain web of
trust/cross certification, where the trust graph doesn't match the
domain hierarchy.

E.g., to use Bob Moskowitz's auto industry model, Chrysler and its big
subcontractors may well "trust" the root domain to not screw up on a
day-to-day basis, but because they have long-term business
relationship involving the exchange of hundreds of millions of dollars
a year, and they only each send $50/year to the Internic, they might
be happier if there was a direct trust path between their zones not
involving any organization which wasn't as committed as they were to
their business relationship.

One way to do this would be to configure the trusted key for
chrysler.com into all resolvers in the subcontractor.com domain, but
that would be a management nightmare; an alternative would be to set
up some sort of "trusted shadow" of the root inside chrysler.com
(e.g., a peers.chrysler.com zone signed by the chrysler key containing
KEY rr's off of `subcontractor.com.peers.chrysler.com'); the
validation model (which is admittedly an extension of the current
DNSsec model) would trust zone keys inside the shadow subtree before
you trust keys certified through the root..

					- Bill

References:

Re: DNSSEC for IPSEC?

From: John Gilmore <gnu@toad.com>

Prev by Date: Re: DNSSEC for IPSEC?
Next by Date: Re: Exporting an IPSec implementation
Prev by thread: Re: DNSSEC for IPSEC?
Next by thread: Re: DNSSEC for IPSEC?
Index(es):
- Main
- Thread