On Fri, Jul 26, 2002 at 02:03:39AM +0900, JINMEI Tatuya / ??????????? wrote: > >>>>> On Wed, 24 Jul 2002 20:06:51 -0700, > >>>>> Ted Lemon <[EMAIL PROTECTED]> said: > > >> Returning to your idea, it sounds attractive. However, I'm not sure > >> if this approach is applicable widely. In particular, I'm not sure if > >> "edge devices" such as personal laptops, PDAs, cell phones..., for > >> which the nodeinfo-revlookup would be most useful, have private keys > >> authorized in the DNSSEC framework. > > > Why not? I think they do probably have private keys, and configuring them > > with the private side of a DNSSEC key doesn't sound very hard. It does > > sound like it would be quite useful. :') > > It is probably okay to assume the devices have some private keys. My > concerns (or what I'm not sure about) are: > > - how to register the keys to DNS. Manual configuration (by an > administrator) is not realistic for general cases, but I'm not sure > if DNS dynamic update is effective.
In the mobile, dynamic IPv6 world, it seems like having public keys in DNS would be fairly common for things like secured NSUPDATE, so the host would already be doing this. > - how to construct the trust chain of DNSSEC toward the root zone. > The zone to which the edge devices belong is presumably a kind of > "personal" one, and we may not always assume it is a secure zone. > In fact, in my understanding the current trend of DNSSEC is to > restrict signed zones to some "well-known" ones such as a zone > containing famous commercial web servers. Something tells me that a lot of people on this mailling list will have signed, secure zones long before these famous commercial web servers... -- David Terrell | Step 1: "configure one system using your GUI" [EMAIL PROTECTED] | Step 2: "now configure 1000 more" Nebcorp Prime Minister | - Casper H.S. Dik http://wwn.nebcorp.com | -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
