At 2:30 PM -0400 10/4/10, Michael StJohns wrote:
Hi -

DNSSEC seems to be picking on PKIX and vice versa - maybe the right answer is both?

I don't see the proposed work as a war between X.509 certs and signed DNS records. I think that they are potentially complementary security mechanisms.

...
What if - the PKIX certificate for the host contained a "permit" for the name signed by the DNS owner? A signature over the hash of the public key in the certificate, and the DNS name - and maybe some expiration info verifiable by the data in DNSSEC?

We have avoided putting additional signatures in a public-key cert, so I'm not comfortable with a proposal that does so. Is there a way to reverse this, so that the cert contains a hash of a key from the DNS, and there is a (signed) DNS record that covers the cert?

Steve
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to