[dns-operations] Online DNSSEC debugging tool now availalbe
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Jul 19 17:44:32 UTC 2010
On Mon, Jul 19, 2010 at 10:33:39AM -0700, David Conrad wrote:
> Bill,
>
> On Jul 19, 2010, at 10:24 AM, bmanning at vacation.karoshi.com wrote:
> > if my government, employer, university, bank, etc. give me their keys
> > i expect I will want to first use the keys they give me directly, if I can,
> > then the chain of custody that comes from the root.
>
> How do you envision this working exactly? It sounds like you're proposing a really fascinating exercise is the scalability of key management. There's a reason hierarchical chains of trust keep showing up...
>
> Regards,
> -drc
>
well, as Ed pointed out, DNSSEC was designed with the idea that there would be "islands
of trust" - that the myth of a fully signed/linked heirarchy was just that.
and we have emperical evidence of large key-stores not being a huge problem (the local
browser cert cache comes to mind) so I don't think I am proposing anything new or
wildly different.
When I get a set of crypto tokens from my employer, including a SEP for their domain,
I expect they want me to use that key in preference to a chain of custody from one
or more third parties.
--bill
More information about the dns-operations
mailing list