[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC for IPSEC?

To: Derek Atkins <warlord@mit.edu>, dennis.glatting@plaintalk.bellevue.wa.us
Subject: Re: DNSSEC for IPSEC?
From: Robert Moskowitz <rgm3@chrysler.com>
Date: Fri, 02 Aug 1996 11:33:31 -0400
Cc: John Gilmore <gnu@toad.com>, ipsec@TIS.COM
Sender: ipsec-approval@neptune.tis.com

At 03:08 PM 7/26/96 EDT, Derek Atkins wrote:
>> There is an issue. Storing the private key off-line is not
>> a deterrent: the mischievous person simply generates a
>> new key pair and re-signs the zone.
>
>Actually, this doesn't work.  The problem is that the parent zone
>needs to have signed the zone's key.  So, I couldn't go and forge
>a zone key for MIT.EDU, because the MIT.EDU key needs to be signed
>by the EDU key, which in turn needs to be signed by the root key.
>
>So, you can't forge a key without forging the whole hierarchy.
>
Gee it sounds like a job for an AlterNIC...

Robert Moskowitz
Chrysler Corporation
(810) 758-8212

Prev by Date: Re: New ISAKMP+Oakley code!
Next by Date: Re: DNS? was Re: Key Management, anyone?
Prev by thread: Re: New ISAKMP+Oakley code!
Next by thread: Re: DNSSEC for IPSEC? -- or, how to exploit DNSSEC
Index(es):
- Main
- Thread