In message <[EMAIL PROTECTED]> on Thu, 13
Jun 2002 10:08:49 -0400, "John Stracke" <[EMAIL PROTECTED]> said:
jstracke> >The CERT extension to DNS allows to place there a URI, a
jstracke> >URI is smaller than a cert and stays in a udp packet.
jstracke>
jstracke> Bootstrap problem: how can you tru
>The CERT extension to DNS allows to place there a URI, a URI is smaller
than
>a cert and stays in a udp packet.
Bootstrap problem: how can you trust the results of the URI?
/=\
|John Stracke|Principal Engineer
>> I don't want to discount the importance of cert discovery, but I do
>> think it's a stretch to believe that you're going to be willing to
>> trust all of the certs that you discover in a chain of significant
>> length, for a significant set of purposes.
>
>We're already trusting chains of signf
Then a global PKI protocol server needs to be invented so you can just get the
certs from the domain in question. i dont wanna see DNS system bogged down by
this stuff. IMHOOC!
use dns to get the IP and request from its IP the pki doc.. duh.
6/11/02 6:51:26 PM, Derek Atkins <[EMAIL PROTECTE
At 7:44 PM +0200 6/12/02, Jakob Schlyter wrote:
>could we perhaps move this discussion to [EMAIL PROTECTED]?
Yes we could, but whether or not people want to is another question.
As for the people who have made comments about "it would be nice to
be able to discover paths to trusted roots", plea
> >We're already trusting chains of signficant length (i.e. DNS delegation)
> >with no decent verification at all.
>
> That's a good point. PKI on DNS might not be the most trustworthy system
> imaginable, but it would probably be an improvement over no PKI. Provided
> it doesn't break DNS...
could we perhaps move this discussion to [EMAIL PROTECTED]?
jakob
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Man
> > I don't want to discount the importance of cert discovery, but I do
> > think it's a stretch to believe that you're going to be willing to trust
> > all of the certs that you discover in a chain of significant length, for
> > a significant set of purposes.
>
> So do you think that there's a n
At 10:27 PM 6/7/2002 -0400, [EMAIL PROTECTED] wrote:
>2) DNS has to be *FAST*, especially at the root - we're talking on the
>order of 200K queries a *SECOND*. You figure out how to do that while
>also tossing certificates around, let us know...
I must be missing something. As far as I know, the
On 6/12/02 8:20 AM, "Eric Rescorla" <[EMAIL PROTECTED]> wrote:
>> But I can do
>> this only if I can discover certs that *aren't* either in the set it hands
>> me or in my local set, and TLS says nothing about how to do this.
> Yes, because it's an edge case.
Scalability as an edge case. Hmm.
>
--Original Message-
From: Chris Evans [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 13 June 2002 4:46
To: David Conrad; Derek Atkins
Cc: Eric A. Hall; John Stracke; ietf; [EMAIL PROTECTED]; Key Distribution;
[EMAIL PROTECTED]
Subject: Re: Global PKI on DNS?
Then a global PKI protocol server needs to be i
>> Because it's not their software? If I wanted to do PKI through DNS, and
my
>> ISP's server did not support TCP, I might be stuck. Personally, I
don't
>> depend on my ISP for DNS, but many users do.
>
>So users wanting this new service will be pretty motivated to switch DNS
>servers when the
on 6/11/2002 11:01 PM David Conrad said the following:
> Why would anyone care about root or TLD _certificates_?
Uhh, because it was requested:
on 6/8/2002 8:22 AM Franck Martin said the following:
| The root servers would share the ROOT Certificates and would sign a
| certificate to each
>Such software would not see this kind of data unless a user
>of the server tried to use this stuff, and in that case I don't see
>why that user couldn't upgrade her own software to get it to work.
Because it's not their software? If I wanted to do PKI through DNS, and my
ISP's server did not su
On 6/11/02 6:15 PM, "Eric A. Hall" <[EMAIL PROTECTED]> wrote:
>> Why do you think the roots and TLDs would get millions of TCP queries for
>> their certs? Why would anyone want to get the certs of the roots or tlds?
> Why do you think anybody would cache them long-term if they were right
> there
Since I assume that most people on the lists already understand
this stuff, I'll followup to Peter privately...
> Somebody suggested out-of-band that I might be trolling with my last
> post, but actually I was just surrendering to my frustration, for which
> I apologize. I know what a wasteland
(Please respect Reply-To)
"Eric A. Hall" <[EMAIL PROTECTED]> writes:
> on 6/8/2002 8:54 PM Simon Josefsson said the following:
>
>> Despite the FUD presented by certain individuals that doesn't want
>> keys/certs in DNS, people have already tarted doing it and it works
>> fine.
>
> Setting aside
on 6/8/2002 8:54 PM Simon Josefsson said the following:
> Despite the FUD presented by certain individuals that doesn't want
> keys/certs in DNS, people have already tarted doing it and it works
> fine.
Setting aside the issue of whether or not people are spreading FUD,
perhaps you could tell u
> > 1) short lived certs
> > 2) CRL's published at regular intervals.
> >
> > both involve a regularly-signed short-lived objects.
>
> Errr - OCSP?
last year we implemented a system that used DNS (with security extensions)
to distribute ceritificate validity information (among other things)
On Sun, 09 Jun 2002 21:36:08 EDT, Keith Moore said:
> > Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here.
> > The worms are out of the can, and I suggest anybody who wants to fight
> > this battle order at least a 4-sizes-larger can
>
> these particular worms are still in
On Sun, 09 Jun 2002 20:57:58 EDT, Keith Moore said:
> assuming that you can keep the folks who control the TLDs from trying
> to sell themselves as authoritative CAs for those TLDs, I mostly agree.
Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here.
The worms are out of the ca
Correction: A single global rooted PKI is a bad idea, a single global (in
the namespace sense, not a single system) PKI database where we can look up
certificates is a good idea.
At 07:39 PM 6/9/2002 -0400, Keith Moore wrote:
> > I was wondering if the best system to build a global PKI woul
> Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here.
> The worms are out of the can, and I suggest anybody who wants to fight
> this battle order at least a 4-sizes-larger can
these particular worms are still in the can, and it's probably better
for everyone if they stay t
> Correction: A single global rooted PKI is a bad idea, a single global (in
> the namespace sense, not a single system) PKI database where we can look up
> certificates is a good idea.
assuming that you can keep the folks who control the TLDs from trying
to sell themselves as authoritative CAs f
> I was wondering if the best system to build a global PKI wouldn't be the
> DNS system already in place?
A global PKI is a Bad Idea. Nobody is sufficiently trustworthy to be the
root CA.
Keith
__
OpenSSL Project
I see who you are talking about
But I think it is a IETF pb to provide an informational RFC to provide a map between certificate DN and DNS namespace and to provide a mechanism to look at CERT and CRL Then it is an ICANN problem to implement on the root-servers and delegate to ohers...
> actually UDP/IP max_size is 512 Bytes
no; you're ignoring fragmentation which has been cmmon since 1980 or so.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Bill Sommerfeld wrote:
>> As others have pointed out, the DNS already has the capability
>> to store certs. So you could use the DNS as a publication
>> method. But is this the only thing a PKI needs? How would
>> one revolke a cert that was in the DNS? How can you update
> As others have pointed out, the DNS already has the capability
> to store certs. So you could use the DNS as a publication
> method. But is this the only thing a PKI needs? How would
> one revolke a cert that was in the DNS? How can you update
> -every- cached
On Sat, Jun 08, 2002 at 01:35:42PM -0700, David Conrad wrote:
> On 6/8/02 6:22 AM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote:
> > DNS packets are limited to 512 bytes.
>
> No they are not. They are limited to 64K. Even without EDNS0, a large
> response can fall back to TCP. You know this.
on 6/8/2002 8:22 AM Franck Martin said the following:
> I was wondering if the best system to build a global PKI wouldn't be the
> DNS system already in place?
This is an ongoing argument. Essentially there are two camps:
Pro--there's a global database out there, let's put useful stuff
Pekka Savola <[EMAIL PROTECTED]> writes:
> On Sat, 8 Jun 2002, Michael Richardson wrote:
>> > "Franck" == Franck Martin <[EMAIL PROTECTED]> writes:
>> Franck> I was wondering if the best system to build a global PKI wouldn't be the
>> Franck> DNS system already in place?
>>
>> Fra
In message <[EMAIL PROTECTED]>, David Conrad writes:
>On 6/8/02 6:22 AM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote:
>> DNS packets are limited to 512 bytes.
>
>No they are not. They are limited to 64K. Even without EDNS0, a large
>response can fall back to TCP. You know this.
I was exclud
On Sat, 08 Jun 2002 13:22:28 -, Franck Martin said:
> I was wondering if the best system to build a global PKI wouldn't be the
> DNS system already in place?
No.
1) There's *NOT* a good mapping between the DNS and LDAP (hint - DN=, O=,
and OU+ can be at the same level...)
2) DNS has to be
> "Franck" == Franck Martin <[EMAIL PROTECTED]> writes:
Franck> I was wondering if the best system to build a global PKI wouldn't be the
Franck> DNS system already in place?
Franck> The root servers would share the ROOT Certificates and would sign a
Franck> certificate to eac
On Sat, 8 Jun 2002, Michael Richardson wrote:
> > "Franck" == Franck Martin <[EMAIL PROTECTED]> writes:
> Franck> I was wondering if the best system to build a global PKI wouldn't be the
> Franck> DNS system already in place?
>
> Franck> The root servers would share the ROOT Certi
On 6/8/02 3:01 PM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote:
> I was excluding EDNS0, since I thought it wasn't widely implemented.
It has been implemented in the latest version of BINDv8, it has always been
in BINDv9, and I believe it is in Microsoft's DNS server (not positive on
this). G
37 matches
Mail list logo