On Thu, 1 Mar 2012, Giovanni Campagna wrote:
The same protections should be used, that is DNSSEC and end-to-end authentication (SSH, TLS). This still leaves the real mdns area unprotected, but this is to be expected, and it's just an UI issue (that could be resolved once network zones land).
One good use that can be made with DNSSEC is that you can broadcast you security chain from DNSSEC. My laptop can announce itself as pwouters.redhat.com. It will announce the DNS chain from com to redhat.com to pwouters.redhat.com. The other person, let's say john.foobar.com produces the DNS chain from com to foobar.com to john.foobar.com. Now each party can, with just the preloaded root dns key, obtain a cryptographic identity based on a simple identifier (hostname). We can connect our laptops, or phones, simply by saying "my laptop is pwouters.redhat.com". We could even do this without having any internet connection, exchange public keys, and setup an IPsec tunnel between our machines/phones, and only then transfer our personal data. We only need some people to write and submit an IETF draft for this :) (AFAIK, people were already working on standarising dnssec blobs for use in embedding them in certificates, eg Adam Langley and Dan Kaminsky) Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
