[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC goes to RFC

Matthew Ghio writes:
> [email protected] (Stephen D. Williams) wrote:
> > I really like the idea of using DNS for (public I assume) keys...
> I don't.
> Public keys in the DNS is a bad idea because it makes it difficult to
> update the database, especially in large organizations.

Thats one of a number of reasons why the DNS dynamic update facility
has been created.

> The host should be able to give
> its own key in response to a query.

What makes you assume we are using hosts as the keyed endpoints in the
usual case? Users are also getting keys, and querying them will be
difficult until humans all come equipped with implanted radio
transmitters. See "The Presidents Analyst" for a possible solution to
that problem, but I prefer DNS :-)