Re: PKS, and the DV/MD choice...
Christian Huitema <firstname.lastname@example.org> Mon, 28 April 1997 15:43 UTC
Received: from cnri by ietf.org id aa05508; 28 Apr 97 11:43 EDT
Received: from murtoa.cs.mu.OZ.AU by CNRI.Reston.VA.US id aa12442; 28 Apr 97 11:43 EDT
Received: from mailing-list by murtoa.cs.mu.OZ.AU (8.6.9/1.0) id BAA12946; Tue, 29 Apr 1997 01:36:31 +1000
Received: from munnari.OZ.AU by murtoa.cs.mu.OZ.AU (8.6.9/1.0) with SMTP id BAA12924; Tue, 29 Apr 1997 01:27:42 +1000
Received: from mulga.cs.mu.OZ.AU by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56) id PA06850; Tue, 29 Apr 1997 01:27:35 +1000 (from email@example.com)
Received: from seawind.bellcore.com by mulga.cs.mu.OZ.AU with SMTP (5.83--+1.3.1+0.51) id AA04404; Tue, 29 Apr 1997 01:27:31 +1000 (from firstname.lastname@example.org)
Received: (from huitema@localhost) by seawind.bellcore.com (8.6.9/8.6.10) id LAA20751 for email@example.com; Mon, 28 Apr 1997 11:26:13 -0400
Date: Mon, 28 Apr 1997 11:26:13 -0400
From: Christian Huitema <firstname.lastname@example.org>
In-Reply-To: email@example.com (Noel Chiappa) "PKS, and the DV/MD choice..." (Apr 28, 10:43am)
X-Mailer: Z-Mail (3.2.1 10oct95)
Subject: Re: PKS, and the DV/MD choice...
Content-Type: text/plain; charset=us-ascii
So, we want secure connectivity information, saying essentially that "net X is connected to AS Y". One option is to modify BGP-6 to carry certificates. But this is overkill -- the connectivity information is static, about as static as address assignment. Why not just place it in the DNS ? The inverse domains can be secured by DNS sec, with delegation traceable all the way up to the IANA. We could easily place an AS record in that hierarchy, e.g. "*.18.in-addr.arpa AS IN 12345". That would allow instant checks by just looking in the DNS, and a path to escalation in paranoia land for the security conscious. -- Christian Huitema