Re: "Re: DNS? was Re: Key Management, anyone?"
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Thu, 08 August 1996 05:06 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa13024; 8 Aug 96 1:06 EDT
Received: by relay.hq.tis.com; id BAA02410; Thu, 8 Aug 1996 01:09:14 -0400
Received: from sol.hq.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1.1) id xma002408; Thu, 8 Aug 96 01:08:46 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA16477; Thu, 8 Aug 96 01:08:14 EDT
Received: by relay.hq.tis.com; id BAA02405; Thu, 8 Aug 1996 01:08:44 -0400
Received: from necom830.hpcl.titech.ac.jp(131.112.32.132) by relay.tis.com via smap (V3.1.1) id xma002403; Thu, 8 Aug 96 01:08:40 -0400
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Message-Id: <199608080510.OAA10224@necom830.hpcl.titech.ac.jp>
Received: by necom830.hpcl.titech.ac.jp (8.6.11/TM2.1) id OAA10224; Thu, 8 Aug 1996 14:10:35 +0900
Subject: Re: "Re: DNS? was Re: Key Management, anyone?"
To: Hilarie Orman <ho@earth.hpc.org>
Date: Thu, 08 Aug 1996 14:10:34 -0000
Cc: mohta@necom830.hpcl.titech.ac.jp, ipsec@TIS.COM
In-Reply-To: <199608080303.XAA02552@earth.hpc.org>; from "Hilarie Orman" at Aug 7, 96 11:03 pm
X-Mailer: ELM [version 2.3 PL11]
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
> > Authentication for what?
>
> Clarified Assertion:
> The minimal basis for authentication is the association of a public key
> with an IP address.
Agreed, though the association of a public key with a hostname would
be a little more useful.
But, note that any string, for example, URLs, containing a hostname,
signature, date etc. can authenticate a hostname.
> The minimal authentication chain is through DNS
> zone authorities.
I disagree here.
The source, root, of the authentication varies application by
application.
DNS zone delegation chain is the natural chain for Internic to
^^^^^^^^^^^^
authenticate DNS data structure itself, but nothing more than
that.
Secure DNS chain is NOT useful to track to an authentication root.
To track to the proper root, we need application specific signatures.
For example, it is possible to modify SIG RRs and KEY RRs of secure
DNS to have some field designating the authentication root.
Then, using multiple SIG and KEY RRs for each root, we can track the
appropriate chain to reach the desired root of the authentication.
This, I think, could be the minimal authentication chain with DNS.
But, now, we are not so much motivated to let the authentication
chain follow the DNS structure. Authetication chain can just be a
relationship between DNS nodes. Note that traversing DNS structure
with NS, glue A and CNAME cause a lot of wierd problems unrelated
to the authentication chain itself.
Finally, the problem of using DNS for such generic authentication
is that, we need separate SIG RR and KEY RR for each root, which
can easily cause DNS UDP packet overflow.
So, I'm rather discouraged to use DNS for authentication other than
securing DNS structure itself.
Masataka Ohta
- Re: "Re: DNS? was Re: Key Management, anyone?" Hilarie Orman
- Re: "Re: DNS? was Re: Key Management, anyone?" Masataka Ohta
- Re: "Re: DNS? was Re: Key Management, anyone?" Stephen Kent
- Re: "Re: DNS? was Re: Key Management, anyone?" PALAMBER.US.ORACLE.COM