Re: PKS, and the DV/MD choice...

Christian Huitema <> Mon, 28 April 1997 15:43 UTC

Received: from cnri by id aa05508; 28 Apr 97 11:43 EDT
Received: from by CNRI.Reston.VA.US id aa12442; 28 Apr 97 11:43 EDT
Received: from mailing-list by (8.6.9/1.0) id BAA12946; Tue, 29 Apr 1997 01:36:31 +1000
Received: from munnari.OZ.AU by (8.6.9/1.0) with SMTP id BAA12924; Tue, 29 Apr 1997 01:27:42 +1000
Received: from by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56) id PA06850; Tue, 29 Apr 1997 01:27:35 +1000 (from
Received: from by with SMTP (5.83--+1.3.1+0.51) id AA04404; Tue, 29 Apr 1997 01:27:31 +1000 (from
Received: (from huitema@localhost) by (8.6.9/8.6.10) id LAA20751 for; Mon, 28 Apr 1997 11:26:13 -0400
Date: Mon, 28 Apr 1997 11:26:13 -0400
From: Christian Huitema <>
Message-Id: <>
In-Reply-To: (Noel Chiappa) "PKS, and the DV/MD choice..." (Apr 28, 10:43am)
References: <>
X-Mailer: Z-Mail (3.2.1 10oct95)
Subject: Re: PKS, and the DV/MD choice...
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Precedence: bulk

So, we want secure connectivity information, saying essentially that "net
X is connected to AS Y".  One option is to modify BGP-6 to carry
certificates. But this is overkill -- the connectivity information is
static, about as static as address assignment.  Why not just place it in
the DNS ? The inverse domains can be secured by DNS sec, with delegation
traceable all the way up to the IANA.  We could easily place an AS record
in that hierarchy, e.g. "* AS IN 12345".  That would allow
instant checks by just looking in the DNS, and a path to escalation in
paranoia land for the security conscious.

Christian Huitema