ietf
[Top] [All Lists]

Re: WG Review: Keys In DNS (kidns)

2010-10-26 14:46:45
I believe the KIDNS charter is generally good and I support forming this
WG to work on this topic, however I have one important concern:

Specify mechanisms and techniques that allow Internet applications to
establish cryptographically secured communications by using information
distributed through the DNS and authenticated using DNSSEC to obtain
public keys which are associated with a service located at a
domain name.

I fear this wording will lead to a standards that _requires_ people to
adopt the sloppy security practice to use the same credential for two
(or more) unrelated services.

By only locating services by domain name, the separation between ports
(e.g., 443 or 587) and transport protocols (UDP vs TCP) are lost.

I object to that limitation.  I believe it is important that any
solution in this space supports different certificates for different
ports/protocols on the same host.

My experience with how protocols are deployed is that it is common for
both web (HTTPS) and e-mail (SMTP with STARTTLS) to be hosted on the
same domain name but with different certificates.

For example, the host "lists.debian.org" is reachable with HTTPS (with a
matching certificate) and also through SMTP with STARTTLS (also with a
matching certificate).  The services are using different certificates!

There are other examples, lists.ubuntu.com and even mail.ietf.org, even
if not all appear to support SMTP+STARTTLS.

Thus, I'd like to see the charter clarify that services are located at a
distinct port/protocol/domain-name rather than only at a domain-name.

/Simon
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>