[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC for IPSEC?

To: dennis.glatting@plaintalk.bellevue.wa.us
Subject: Re: DNSSEC for IPSEC?
From: Derek Atkins <warlord@mit.edu>
Date: Fri, 26 Jul 1996 15:08:46 EDT
Cc: John Gilmore <gnu@toad.com>, ipsec@TIS.COM
In-Reply-To: Your message of "Thu, 25 Jul 1996 23:45:00 PDT." <199607260645.XAA00284@imo.plaintalk.bellevue.wa.us>
Sender: ipsec-approval@neptune.tis.com

> There is an issue. Storing the private key off-line is not
> a deterrent: the mischievous person simply generates a
> new key pair and re-signs the zone.

Actually, this doesn't work.  The problem is that the parent zone
needs to have signed the zone's key.  So, I couldn't go and forge
a zone key for MIT.EDU, because the MIT.EDU key needs to be signed
by the EDU key, which in turn needs to be signed by the root key.

So, you can't forge a key without forging the whole hierarchy.

-derek

Follow-Ups:

Re: DNSSEC for IPSEC?

From: Dennis Glatting <dennisg@plaintalk.bellevue.wa.us>

References:

Re: DNSSEC for IPSEC?

From: Dennis Glatting <dennisg@plaintalk.bellevue.wa.us>

Prev by Date: Re: DNSSEC for IPSEC?
Next by Date: Re: challenges for the IPSEC group
Prev by thread: Re: DNSSEC for IPSEC? -- or, how to exploit DNSSEC
Next by thread: Re: DNSSEC for IPSEC?
Index(es):
- Main
- Thread