[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC goes to RFC

To: [email protected]
Subject: Re: IPSEC goes to RFC
From: [email protected] (Hadmut Danisch)
Date: Fri, 11 Aug 1995 12:56:35 +0200
Sender: [email protected]

> [email protected] (Stephen D. Williams) wrote:
> 
> > I really like the idea of using DNS for (public I assume) keys...

[email protected] (Matthew Ghio) wrote:

> I don't.
> 
> Public keys in the DNS is a bad idea because it makes it difficult to
> update the database, especially in large organizations.  When a host's
> key is issued or changed then they would have to get the nameserver
> admin to change it for them.  This could become a major problem/
> inconvenience for many, many people.  The host should be able to give
> its own key in response to a query.  That key could, of course, be
> signed by any number of trusted signators to guarentee authenticity.

I also like the idea of DNS-based public key distribution, but
what Matthew said is true. 

What about this:

Let the DNS-Server export the address of a machine which runs the
public-key-database for this domain, similar to the MX record for
the mailserver.

If you need the public key for a person identified by the email
address or for a host identified by hostname or IP address, you
could ask the DNS server where to get the public key.

The database host could run any program suitable to local requirements
and export public keys with a certain protocol...

Hadmut

Prev by Date: Re: Australia, EU crypto ill news, crypto wars
Next by Date: Re: More "S-1" foolishness
Prev by thread: Re: IPSEC goes to RFC
Next by thread: Re: IPSEC goes to RFC
Index(es):
- Date
- Thread