[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC goes to RFC

Nesta Stubbs writes:
> There are some other problems too I believe.  I have worked for a decent 
> sized network who did all user authentication at the terminal servers for 
> dial-in accounts thru DNS.  This wasn't too bad for just passws and 
> stuff, but wouldn't this cause some bloat in the nameservers database?  

HESIOD is an excellent demonstration that it works just fine.

> As well as cause problems security wise when it comes to updates.  Would 
> these automatically not be cached in any form by the site making the 
> request?  This also causes a problem for smaller time people who perhaps 
> have a PPP/SLIP connection 24/7 but have nameserve done by their prvider, 
> and I for sure don't want my provider to be in control of those keys. 

Why not? After all, they are signed. You can have them held by your
worst enemy and it should be just fine. Thats the idea of public key