At 2:30 PM -0400 10/4/10, Michael StJohns wrote:
Hi -
DNSSEC seems to be picking on PKIX and vice versa - maybe the right
answer is both?
I don't see the proposed work as a war between X.509 certs and signed
DNS records. I think that they are potentially complementary security
mechanisms.
...
What if - the PKIX certificate for the host contained a "permit" for
the name signed by the DNS owner? A signature over the hash of the
public key in the certificate, and the DNS name - and maybe some
expiration info verifiable by the data in DNSSEC?
We have avoided putting additional signatures in a public-key cert,
so I'm not comfortable with a proposal that does so. Is there a way
to reverse this, so that the cert contains a hash of a key from the
DNS, and there is a (signed) DNS record that covers the cert?
Steve
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop