Simon and all,
-----Original Message-----
From: Simon Josefsson <simon(_at_)josefsson(_dot_)org>
Sent: Oct 26, 2010 2:46 PM
To: iesg(_at_)ietf(_dot_)org, ietf(_at_)ietf(_dot_)org
Cc: keyassure(_at_)ietf(_dot_)org
Subject: Re: [keyassure] WG Review: Keys In DNS (kidns)
I believe the KIDNS charter is generally good and I support forming this
WG to work on this topic, however I have one important concern:
Specify mechanisms and techniques that allow Internet applications to
establish cryptographically secured communications by using information
distributed through the DNS and authenticated using DNSSEC to obtain
public keys which are associated with a service located at a
domain name.
I fear this wording will lead to a standards that _requires_ people to
adopt the sloppy security practice to use the same credential for two
(or more) unrelated services.
I share this concern. The above refrenced wording needs revision.
By only locating services by domain name, the separation between ports
(e.g., 443 or 587) and transport protocols (UDP vs TCP) are lost.
not lost really but confused, perhaps...
I object to that limitation. I believe it is important that any
solution in this space supports different certificates for different
ports/protocols on the same host.
Whynot have both. One being a shared cert as acceptable and the
option of one for each?
My experience with how protocols are deployed is that it is common for
both web (HTTPS) and e-mail (SMTP with STARTTLS) to be hosted on the
same domain name but with different certificates.
For example, the host "lists.debian.org" is reachable with HTTPS (with a
matching certificate) and also through SMTP with STARTTLS (also with a
matching certificate). The services are using different certificates!
i see nothing wrong with this and conversly nothing wrong with both
using a shared cert for each.
There are other examples, lists.ubuntu.com and even mail.ietf.org, even
if not all appear to support SMTP+STARTTLS.
Thus, I'd like to see the charter clarify that services are located at a
distinct port/protocol/domain-name rather than only at a domain-name.
/Simon
_______________________________________________
keyassure mailing list
keyassure(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/keyassure
Regards,
Jeffrey A. Williams
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1(_at_)ix(_dot_)netcom(_dot_)com
Phone: 214-244-4827
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf