Paul Hoffman <[email protected]> writes: > On Aug 27, 2014, at 12:46 PM, Wes Hardaker <[email protected]> wrote: > >> But what's the solution? How do we authenticate that resolver? PKIX >> won't help us, as there is no name. > > Say what? That draft clearly says that the resolver can have a PKIX > certificate with its IP address as the name.
So we're going to issue a gazillion PKIX certs for 10.0.0.1? > The likelihood that you have the coffee shop's DHCP server's > credentials are zero. I think I was implying that so we agree :-) > You also forgot other options, such as preshared signing key. That > would work fine for enterprises or ISPs with a help desk and a few > thousand users. "Paste this into that dialog on your computer" works > OK. But PKIX with IP addresses is probably more scalable. Well, I thought about the coffee shop sign (here's our WPA password along with our resolver's magic verification string). -- Wes Hardaker Parsons _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
