[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC for IPSEC?

To: ipsec@TIS.COM
Subject: Re: DNSSEC for IPSEC?
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Fri, 26 Jul 96 18:17:57 JST
Sender: ipsec-approval@neptune.tis.com

DNS is a database.

Secure DNS make the database secure, as long as the managers
of the database is reliable. That is, ownership of DNS name
space and IP address space may be considered to be secure.

Nothing more than that.

So, secure DNS as is can offer only the abstract security over
a DNS tree having nothing to do with the real world.

For real world applications, we need some social and/or network
mechanism for the anchoring with some API.

For example, an authentication chain on election must be rooted by
the governments.

On the other hand, an economically meaningful authentication chain may
be rooted by reliable banks, credit card companies or issuers of prepaid
cards, which may, then, be secured by some physically written contract.

To make matters worse, which entities are reliable varies currency
by currency, person by person and by the amount of the transaction.

Finally, if there is a reliable anchor into DNS tree, secure DNS
is a mechanism to offer a secure authentication chain from it mostly
along the structure of DNS tree.

But, as people's identity is maintained by goverment hierarchy
unrelated to DNS tree, I'm not sure whether secure DNS is useful
in the real world except for the management of ownership of
DNS name space and IP address space.

							Masataka Ohta

Prev by Date: Re: DNSSEC for IPSEC?
Next by Date: Re: DNSSEC for IPSEC?
Prev by thread: Re: DNSSEC for IPSEC?
Next by thread: Any key mgmt proto comparison info available?
Index(es):
- Main
- Thread