Simon and all, -----Original Message----- >From: Simon Josefsson <simon@xxxxxxxxxxxxx> >Sent: Oct 26, 2010 2:46 PM >To: iesg@xxxxxxxx, ietf@xxxxxxxx >Cc: keyassure@xxxxxxxx >Subject: Re: [keyassure] WG Review: Keys In DNS (kidns) > >I believe the KIDNS charter is generally good and I support forming this >WG to work on this topic, however I have one important concern: > >> Specify mechanisms and techniques that allow Internet applications to >> establish cryptographically secured communications by using information >> distributed through the DNS and authenticated using DNSSEC to obtain >> public keys which are associated with a service located at a >> domain name. > >I fear this wording will lead to a standards that _requires_ people to >adopt the sloppy security practice to use the same credential for two >(or more) unrelated services. I share this concern. The above refrenced wording needs revision. > >By only locating services by domain name, the separation between ports >(e.g., 443 or 587) and transport protocols (UDP vs TCP) are lost. not lost really but confused, perhaps... > >I object to that limitation. I believe it is important that any >solution in this space supports different certificates for different >ports/protocols on the same host. Whynot have both. One being a shared cert as acceptable and the option of one for each? > >My experience with how protocols are deployed is that it is common for >both web (HTTPS) and e-mail (SMTP with STARTTLS) to be hosted on the >same domain name but with different certificates. > >For example, the host "lists.debian.org" is reachable with HTTPS (with a >matching certificate) and also through SMTP with STARTTLS (also with a >matching certificate). The services are using different certificates! i see nothing wrong with this and conversly nothing wrong with both using a shared cert for each. > >There are other examples, lists.ubuntu.com and even mail.ietf.org, even >if not all appear to support SMTP+STARTTLS. > >Thus, I'd like to see the charter clarify that services are located at a >distinct port/protocol/domain-name rather than only at a domain-name. > >/Simon >_______________________________________________ >keyassure mailing list >keyassure@xxxxxxxx >https://www.ietf.org/mailman/listinfo/keyassure Regards, Jeffrey A. Williams "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx Phone: 214-244-4827 _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf