[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC goes to RFC



On Thu, 10 Aug 1995, Matthew Ghio wrote:

> [email protected] (Stephen D. Williams) wrote:
> 
> > I really like the idea of using DNS for (public I assume) keys...
> 
> I don't.
> 
> Public keys in the DNS is a bad idea because it makes it difficult to
> update the database, especially in large organizations.  When a host's
> key is issued or changed then they would have to get the nameserver
> admin to change it for them.  This could become a major problem/
> inconvenience for many, many people.  The host should be able to give
> its own key in response to a query.  That key could, of course, be
> signed by any number of trusted signators to guarentee authenticity.
>
There are some other problems too I believe.  I have worked for a decent 
sized network who did all user authentication at the terminal servers for 
dial-in accounts thru DNS.  This wasn't too bad for just passws and 
stuff, but wouldn't this cause some bloat in the nameservers database?  
As well as cause problems security wise when it comes to updates.  Would 
these automatically not be cached in any form by the site making the 
request?  This also causes a problem for smaller time people who perhaps 
have a PPP/SLIP connection 24/7 but have nameserve done by their prvider, 
and I for sure don't want my provider to be in control of those keys. 
 

Nesta Stubbs		  "under the streamlined chrome shell, you'd 
Cynico Network Consulting   find the same victorian mechanism." WG
[email protected]