>>>>> On Wed, 24 Jul 2002 20:06:51 -0700,
>>>>> Ted Lemon <[EMAIL PROTECTED]> said:
>> Returning to your idea, it sounds attractive. However, I'm not sure
>> if this approach is applicable widely. In particular, I'm not sure if
>> "edge devices" such as personal laptops, PDAs, cell phones..., for
>> which the nodeinfo-revlookup would be most useful, have private keys
>> authorized in the DNSSEC framework.
> Why not? I think they do probably have private keys, and configuring them
> with the private side of a DNSSEC key doesn't sound very hard. It does
> sound like it would be quite useful. :')
It is probably okay to assume the devices have some private keys. My
concerns (or what I'm not sure about) are:
- how to register the keys to DNS. Manual configuration (by an
administrator) is not realistic for general cases, but I'm not sure
if DNS dynamic update is effective.
- how to construct the trust chain of DNSSEC toward the root zone.
The zone to which the edge devices belong is presumably a kind of
"personal" one, and we may not always assume it is a secure zone.
In fact, in my understanding the current trend of DNSSEC is to
restrict signed zones to some "well-known" ones such as a zone
containing famous commercial web servers.
Some may have an idea to deal with this, though. If there is a
concrete idea of an entire system, I'm very interested in it.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
