Re: Global PKI on DNS?

2002-06-09 Thread David Conrad
On 6/8/02 3:01 PM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: > I was excluding EDNS0, since I thought it wasn't widely implemented. It has been implemented in the latest version of BINDv8, it has always been in BINDv9, and I believe it is in Microsoft's DNS server (not positive on this). G

Re: Global PKI on DNS?

2002-06-09 Thread Pekka Savola
On Sat, 8 Jun 2002, Michael Richardson wrote: > > "Franck" == Franck Martin <[EMAIL PROTECTED]> writes: > Franck> I was wondering if the best system to build a global PKI wouldn't be the > Franck> DNS system already in place? > > Franck> The root servers would share the ROOT Certi

Re: Global PKI on DNS?

2002-06-09 Thread Michael Richardson
> "Franck" == Franck Martin <[EMAIL PROTECTED]> writes: Franck> I was wondering if the best system to build a global PKI wouldn't be the Franck> DNS system already in place? Franck> The root servers would share the ROOT Certificates and would sign a Franck> certificate to eac

Re: Global PKI on DNS?

2002-06-09 Thread Valdis . Kletnieks
On Sat, 08 Jun 2002 13:22:28 -, Franck Martin said: > I was wondering if the best system to build a global PKI wouldn't be the > DNS system already in place? No. 1) There's *NOT* a good mapping between the DNS and LDAP (hint - DN=, O=, and OU+ can be at the same level...) 2) DNS has to be

Re: Global PKI on DNS?

2002-06-09 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, David Conrad writes: >On 6/8/02 6:22 AM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: >> DNS packets are limited to 512 bytes. > >No they are not. They are limited to 64K. Even without EDNS0, a large >response can fall back to TCP. You know this. I was exclud

Re: Global PKI on DNS?

2002-06-09 Thread Simon Josefsson
Pekka Savola <[EMAIL PROTECTED]> writes: > On Sat, 8 Jun 2002, Michael Richardson wrote: >> > "Franck" == Franck Martin <[EMAIL PROTECTED]> writes: >> Franck> I was wondering if the best system to build a global PKI wouldn't be the >> Franck> DNS system already in place? >> >> Fra

Re: Global PKI on DNS?

2002-06-09 Thread Eric A. Hall
on 6/8/2002 8:22 AM Franck Martin said the following: > I was wondering if the best system to build a global PKI wouldn't be the > DNS system already in place? This is an ongoing argument. Essentially there are two camps: Pro--there's a global database out there, let's put useful stuff

Re: Global PKI on DNS?

2002-06-09 Thread dreamwvr
On Sat, Jun 08, 2002 at 01:35:42PM -0700, David Conrad wrote: > On 6/8/02 6:22 AM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: > > DNS packets are limited to 512 bytes. > > No they are not. They are limited to 64K. Even without EDNS0, a large > response can fall back to TCP. You know this.

Re: Global PKI on DNS?

2002-06-09 Thread Bill Sommerfeld
> As others have pointed out, the DNS already has the capability > to store certs. So you could use the DNS as a publication > method. But is this the only thing a PKI needs? How would > one revolke a cert that was in the DNS? How can you update > -every- cached

Re: Global PKI on DNS?

2002-06-09 Thread Ben Laurie
Bill Sommerfeld wrote: >> As others have pointed out, the DNS already has the capability >> to store certs. So you could use the DNS as a publication >> method. But is this the only thing a PKI needs? How would >> one revolke a cert that was in the DNS? How can you update

Re: Global PKI on DNS?

2002-06-09 Thread Rich Salz
> actually UDP/IP max_size is 512 Bytes no; you're ignoring fragmentation which has been cmmon since 1980 or so. __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: Global PKI on DNS?

2002-06-09 Thread Franck Martin
I see who you are talking about But I think it is a IETF pb to provide an informational RFC to provide a map between certificate DN and DNS namespace and to provide a mechanism to look at CERT and CRL Then it is an ICANN problem to implement on the root-servers and delegate to ohers...

Re: Global PKI on DNS?

2002-06-10 Thread Keith Moore
> I was wondering if the best system to build a global PKI wouldn't be the > DNS system already in place? A global PKI is a Bad Idea. Nobody is sufficiently trustworthy to be the root CA. Keith __ OpenSSL Project

Re: Global PKI on DNS?

2002-06-10 Thread Keith Moore
> Correction: A single global rooted PKI is a bad idea, a single global (in > the namespace sense, not a single system) PKI database where we can look up > certificates is a good idea. assuming that you can keep the folks who control the TLDs from trying to sell themselves as authoritative CAs f

Re: Global PKI on DNS?

2002-06-10 Thread Keith Moore
> Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here. > The worms are out of the can, and I suggest anybody who wants to fight > this battle order at least a 4-sizes-larger can these particular worms are still in the can, and it's probably better for everyone if they stay t

Re: Global PKI on DNS?

2002-06-10 Thread Michael StJohns
Correction: A single global rooted PKI is a bad idea, a single global (in the namespace sense, not a single system) PKI database where we can look up certificates is a good idea. At 07:39 PM 6/9/2002 -0400, Keith Moore wrote: > > I was wondering if the best system to build a global PKI woul

Re: Global PKI on DNS?

2002-06-10 Thread Valdis . Kletnieks
On Sun, 09 Jun 2002 20:57:58 EDT, Keith Moore said: > assuming that you can keep the folks who control the TLDs from trying > to sell themselves as authoritative CAs for those TLDs, I mostly agree. Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here. The worms are out of the ca

Re: Global PKI on DNS?

2002-06-10 Thread Valdis . Kletnieks
On Sun, 09 Jun 2002 21:36:08 EDT, Keith Moore said: > > Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here. > > The worms are out of the can, and I suggest anybody who wants to fight > > this battle order at least a 4-sizes-larger can > > these particular worms are still in

Re: Global PKI on DNS?

2002-06-10 Thread Arne Ansper
> > 1) short lived certs > > 2) CRL's published at regular intervals. > > > > both involve a regularly-signed short-lived objects. > > Errr - OCSP? last year we implemented a system that used DNS (with security extensions) to distribute ceritificate validity information (among other things)

Re: Global PKI on DNS?

2002-06-11 Thread Eric A. Hall
on 6/8/2002 8:54 PM Simon Josefsson said the following: > Despite the FUD presented by certain individuals that doesn't want > keys/certs in DNS, people have already tarted doing it and it works > fine. Setting aside the issue of whether or not people are spreading FUD, perhaps you could tell u

Re: Global PKI on DNS?

2002-06-11 Thread Simon Josefsson
(Please respect Reply-To) "Eric A. Hall" <[EMAIL PROTECTED]> writes: > on 6/8/2002 8:54 PM Simon Josefsson said the following: > >> Despite the FUD presented by certain individuals that doesn't want >> keys/certs in DNS, people have already tarted doing it and it works >> fine. > > Setting aside

Re: Global PKI on DNS?

2002-06-12 Thread Keith Moore
Since I assume that most people on the lists already understand this stuff, I'll followup to Peter privately... > Somebody suggested out-of-band that I might be trolling with my last > post, but actually I was just surrendering to my frustration, for which > I apologize. I know what a wasteland

Re: Global PKI on DNS?

2002-06-12 Thread David Conrad
On 6/11/02 6:15 PM, "Eric A. Hall" <[EMAIL PROTECTED]> wrote: >> Why do you think the roots and TLDs would get millions of TCP queries for >> their certs? Why would anyone want to get the certs of the roots or tlds? > Why do you think anybody would cache them long-term if they were right > there

Re: Global PKI on DNS?

2002-06-12 Thread John Stracke
>Such software would not see this kind of data unless a user >of the server tried to use this stuff, and in that case I don't see >why that user couldn't upgrade her own software to get it to work. Because it's not their software? If I wanted to do PKI through DNS, and my ISP's server did not su

Re: Global PKI on DNS?

2002-06-12 Thread Eric A. Hall
on 6/11/2002 11:01 PM David Conrad said the following: > Why would anyone care about root or TLD _certificates_? Uhh, because it was requested: on 6/8/2002 8:22 AM Franck Martin said the following: | The root servers would share the ROOT Certificates and would sign a | certificate to each

Re: Global PKI on DNS?

2002-06-12 Thread John Stracke
>> Because it's not their software? If I wanted to do PKI through DNS, and my >> ISP's server did not support TCP, I might be stuck. Personally, I don't >> depend on my ISP for DNS, but many users do. > >So users wanting this new service will be pretty motivated to switch DNS >servers when the

RE: Global PKI on DNS?

2002-06-12 Thread Franck Martin
--Original Message- From: Chris Evans [mailto:[EMAIL PROTECTED]] Sent: Thursday, 13 June 2002 4:46 To: David Conrad; Derek Atkins Cc: Eric A. Hall; John Stracke; ietf; [EMAIL PROTECTED]; Key Distribution; [EMAIL PROTECTED] Subject: Re: Global PKI on DNS? Then a global PKI protocol server needs to be i

Re: Global PKI on DNS?

2002-06-13 Thread David Conrad
On 6/12/02 8:20 AM, "Eric Rescorla" <[EMAIL PROTECTED]> wrote: >> But I can do >> this only if I can discover certs that *aren't* either in the set it hands >> me or in my local set, and TLS says nothing about how to do this. > Yes, because it's an edge case. Scalability as an edge case. Hmm. >

Re: Global PKI on DNS?

2002-06-13 Thread Fred Baker
At 10:27 PM 6/7/2002 -0400, [EMAIL PROTECTED] wrote: >2) DNS has to be *FAST*, especially at the root - we're talking on the >order of 200K queries a *SECOND*. You figure out how to do that while >also tossing certificates around, let us know... I must be missing something. As far as I know, the

Re: Global PKI on DNS?

2002-06-13 Thread Keith Moore
> > I don't want to discount the importance of cert discovery, but I do > > think it's a stretch to believe that you're going to be willing to trust > > all of the certs that you discover in a chain of significant length, for > > a significant set of purposes. > > So do you think that there's a n

Re: Global PKI on DNS?

2002-06-13 Thread Jakob Schlyter
could we perhaps move this discussion to [EMAIL PROTECTED]? jakob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Man

Re: Global PKI on DNS?

2002-06-13 Thread Keith Moore
> >We're already trusting chains of signficant length (i.e. DNS delegation) > >with no decent verification at all. > > That's a good point. PKI on DNS might not be the most trustworthy system > imaginable, but it would probably be an improvement over no PKI. Provided > it doesn't break DNS...

Re: Global PKI on DNS?

2002-06-13 Thread Paul Hoffman / IMC
At 7:44 PM +0200 6/12/02, Jakob Schlyter wrote: >could we perhaps move this discussion to [EMAIL PROTECTED]? Yes we could, but whether or not people want to is another question. As for the people who have made comments about "it would be nice to be able to discover paths to trusted roots", plea

Re: Global PKI on DNS?

2002-06-13 Thread Chris Evans
Then a global PKI protocol server needs to be invented so you can just get the certs from the domain in question. i dont wanna see DNS system bogged down by this stuff. IMHOOC! use dns to get the IP and request from its IP the pki doc.. duh. 6/11/02 6:51:26 PM, Derek Atkins <[EMAIL PROTECTE

Re: Global PKI on DNS?

2002-06-13 Thread John Stracke
>> I don't want to discount the importance of cert discovery, but I do >> think it's a stretch to believe that you're going to be willing to >> trust all of the certs that you discover in a chain of significant >> length, for a significant set of purposes. > >We're already trusting chains of signf

RE: Global PKI on DNS?

2002-06-13 Thread John Stracke
>The CERT extension to DNS allows to place there a URI, a URI is smaller than >a cert and stays in a udp packet. Bootstrap problem: how can you trust the results of the URI? /=\ |John Stracke|Principal Engineer

Re: Global PKI on DNS?

2002-06-13 Thread Richard Levitte - VMS Whacker
In message <[EMAIL PROTECTED]> on Thu, 13 Jun 2002 10:08:49 -0400, "John Stracke" <[EMAIL PROTECTED]> said: jstracke> >The CERT extension to DNS allows to place there a URI, a jstracke> >URI is smaller than a cert and stays in a udp packet. jstracke> jstracke> Bootstrap problem: how can you tru