<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [ga] Secure DNS
> From: Harald Alvestrand [mailto:Harald@Alvestrand.no]
> Sent: Monday, September 18, 2000 11:01 AM
>
> At 10:17 18/09/2000 -0700, Roeland M.J. Meyer wrote:
> >TLS anyone?
>
> Not the best place to hash this out..
agreed
> ..but TLS tells you only that it's
> hard to interfere with the transmission, not who it came
> from..
Kinda, TLS is for third-party verification of the cert. It both
authenticates and encrypts. The downside is that it is server-centric.
Unlike SSL, which is satisfied with a simple signature, TLS actually
goes to the CA and checks the cert. This makes it a three-party
transaction with the CA being the third party. There are a lot of other
details, like being able to use pin-only certs, rather than actual CPI.
> ..for that
> you need a public key infrastructure of some kind (TLS with X.509
> certificates is defined, but not used much for client authentication).
This is exactly what I had in mind when I made that recommendation for
the root registry. Registries are natural CAs, they just don't know it
yet.
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|