User: Password:
|
|
Subscribe / Log in / New account

@ndye: DNSSEC and PKI

@ndye: DNSSEC and PKI

Posted Jun 23, 2011 20:31 UTC (Thu) by copsewood (subscriber, #199)
In reply to: DNSSEC and PKI by ndye
Parent article: On keys and users

"So why do you assert no difference between

alice@smith.coventry.uk
alice.smith.coventry.uk"

I was pointing out the fact of syntactic difference but the semantic similarity.

In the first example, the email admin of smith.coventry.uk creates the ID. In the second example the DNS admin of smith.coventry.uk does. Syntactically (based upon punctuation) we assume the first to be an email address and the second to be a DNS name. Semantically (the meaning behind the use of words) we have delegation of authority over identity through the big endian chain of labels in both cases, and it matters little whether the granter of the globally unique identity concerned is looking after a DNS or an email server.

The point I'm making here is that the DNS concept is inherently extensible to include everyone on the planet and use of all kinds of network services, not just the narrow priesthood of server operating geeks. RFC4255 http://tools.ietf.org/html/rfc4255 and RFC4871 Domainkeys http://tools.ietf.org/html/rfc4871 both demonstrate interest in using DNS and DNSSEC for secure or cheap public key storage and access in respect of non-DNS protocols (SSH and SMTP respectively). The use cases to extend the SMTP concept initially to Domainkeys (to prevent cheap email origin spoofing) , and to extend the Domainkeys concept to using DNSSEC to create certificates for authentication and privacy of email seem reasonably clear.


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds