Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 12 Jun 2002, Eric Rescorla wrote:

> Nearly all of the major IETF security protocols (TLS, IPsec, OpenPGP)
> already have their own certificate discovery mechanism and therefore
> have no need to have certificates in the DNS. TLS, in particular,
> wouldn't know what to do with them if they were there.

This is missing the point.  Sure, TLS provides the ability for both
clients and servers to send certificate chains to their peers as part of
session startup.  But what happens if I'm a client, and the chain the
server sends me ends in a cert that I don't know about?  I *might* be able
to construct a path from one of my trusted roots to one of the certs in
the path it sends me, and hence be able to validate the whole chain and
hence successfully start the session, instead of failing.  But I can do
this only if I can discover certs that *aren't* either in the set it hands
me or in my local set, and TLS says nothing about how to do this.  That's
the problem that people would like to solve to enable more scalable PKI;
it can't be handwaved away.  I'm not particularly a fan of using DNS for
this, but discovery remains important.

 - RL "Bob"



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]