[dns-operations] Online DNSSEC debugging tool now availalbe

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Jul 19 17:44:32 UTC 2010

On Mon, Jul 19, 2010 at 10:33:39AM -0700, David Conrad wrote:
> Bill,
> On Jul 19, 2010, at 10:24 AM, bmanning at vacation.karoshi.com wrote:
> > 	if my government, employer, university, bank, etc. give me their keys
> > 	i expect I will want to first use the keys they give me directly, if I can,
> > 	then the chain of custody that comes from the root.
> How do you envision this working exactly?  It sounds like you're proposing a really fascinating exercise is the scalability of key management.  There's a reason hierarchical chains of trust keep showing up...
> Regards,
> -drc

	well, as Ed pointed out, DNSSEC was designed with the idea that there would be "islands
	of trust" - that the myth of a fully signed/linked heirarchy was just that. 
	and we have emperical evidence of large key-stores not being a huge problem (the local
	browser cert cache comes to mind) so I don't think I am proposing anything new or 
	wildly different.

	When I get a set of crypto tokens from my employer, including a SEP for their domain,
	I expect they want me to use that key in preference to a chain of custody from one
	or more third parties.  


More information about the dns-operations mailing list