Re: DNS? was Re: Key Management, anyone?
"PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com> Mon, 05 August 1996 16:00 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa09396; 5 Aug 96 12:00 EDT
Received: by relay.hq.tis.com; id MAA23806; Mon, 5 Aug 1996 12:02:59 -0400
Received: from sol.hq.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1.1) id xma023793; Mon, 5 Aug 96 12:02:31 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA21161; Mon, 5 Aug 96 12:02:02 EDT
Received: by relay.hq.tis.com; id MAA23786; Mon, 5 Aug 1996 12:02:29 -0400
Received: from inet-smtp-gw-1.us.oracle.com(192.86.155.81) by relay.tis.com via smap (V3.1.1) id xma023780; Mon, 5 Aug 96 12:02:13 -0400
Received: from mailsun2.us.oracle.com by inet-smtp-gw-1.us.oracle.com with ESMTP (8.6.12/37.7) id JAA07645; Mon, 5 Aug 1996 09:04:32 -0700
Received: by mailsun2.us.oracle.com (SMI-8.6/37.8) id JAA05453; Mon, 5 Aug 1996 09:07:58 -0700
Message-Id: <199608051607.JAA05453@mailsun2.us.oracle.com>
Date: Mon, 05 Aug 1996 08:52:03 -0700
From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>
To: ho@earth.hpc.org
Subject: Re: DNS? was Re: Key Management, anyone?
Cc: ipsec@TIS.COM
X-Orcl-Application: In-Reply-To: UNX02.US.ORACLE.COM:ipsec-approval@neptune.hq.tis.com's message of 01-Aug-96 05:15
Mime-Version: 1.0
X-Mailer: Oracle InterOffice (version 4.0.2.0.35)
Content-Type: multipart/mixed; boundary="=_ORCL_6295698_0_11919608051008590"
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Hilarie, >TCP requires IP, so the IETF guidelines cannot be >taken too seriously in the regard to banning protocol dependencies! Yes, they are only loose recommendations, and I believe (not having the exact RFC in front of me) that the intent was to minimise the interaction between major subsystems and not specific protocols. >Why isn't DNSSEC the appropriate minimal common basis for authentication? This seems to be a strong direction of recent mailing list discussion... DNSSEC is one way to format and distribute certificates. It also implies a specific trust model and naming based on DNS. An IPsec specification should provide recommendations for the minimum required certificate format for IPsec authentication. For ISAKMP, I do not see why certificate distribution is required. Peer systems can readily exchange all required certificates directly, so a certificate distribution system like DNS may not be required. Paul -------------------------------------------------------------- Paul Lambert Director of Security Products Oracle Corporation Phone: (415) 506-0370 500 Oracle Parkway, Box 659410 Fax: (415) 413-2963 Redwood Shores, CA 94065 palamber@us.oracle.com !!! Still hiring, send resumes to: palamber@us.oracle.com !!! --------------------------------------------------------------
--- Begin Message ---I agree with the individual points, but I'm not convinced by the conclusion. Why isn't DNSSEC the appropriate minimal common basis for authentication? I believe we need such a basis, and DNSSEC seems to be the obvious choice. This wouldn't rule out the optional use of other methods. TCP requires IP, so the IETF guidelines cannot be taken too seriously in the regard to banning protocol dependencies!--- End Message ---
- DNS? was Re: Key Management, anyone? PALAMBER.US.ORACLE.COM
- Re: DNS? was Re: Key Management, anyone? Hilarie Orman
- Re: DNS? was Re: Key Management, anyone? Masataka Ohta
- Re: DNS? was Re: Key Management, anyone? PALAMBER.US.ORACLE.COM