On Fri, 28 Jul 2006, Stephen Farrell wrote:
Folks,
We all (or almost all) seem to be assuming that the DNS is the
place to put SSP stuff.
DNS is not the right place to put public keys either - its been
shown here many that it makes DNS systems vulnerable to attack when
you put such large records and it creates series extra overhead for
caching dns servers to be able to support this additional data
(you're basically abusing somebody else's deployed protocol base for
something it was not designed to do - dns works best as database
of short fixed size locator records).
But this WG made assumption that DNS is right place when it first
started without making objective judgment of the alternatives
so why you're asking this question now is beyond me. If you had
another alternative for SSP that is good but if you relay on some
other system protocol for retrieving policy, that means most
verifiers would support that protocol so you might as well
consider that using that protocol instead of DNS for public
key retrieval and be done.
I just wanted to raise the question to see if that's a requirement
or just a near-accidental part of the current design proposals.
So is using the DNS in fact necessary? If it is, we may need text
that explicitly says why at some stage.
If not, what are our requirements for where/how to publish SSP
stuff?
Stephen.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html