ICANN/DNSO
DNSO Mailling lists archives

[ga-full]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [ga] Secure DNS


> From: Harald Alvestrand [mailto:Harald@Alvestrand.no]
> Sent: Monday, September 18, 2000 11:01 AM
> 
> At 10:17 18/09/2000 -0700, Roeland M.J. Meyer wrote:
> >TLS anyone?
> 
> Not the best place to hash this out..

agreed

> ..but TLS tells you only that it's 
> hard to interfere with the transmission, not who it came 
> from..

Kinda, TLS is for third-party verification of the cert. It both
authenticates and encrypts. The downside is that it is server-centric.
Unlike SSL, which is satisfied with a simple signature, TLS actually
goes to the CA and checks the cert. This makes it a three-party
transaction with the CA being the third party. There are a lot of other
details, like being able to use pin-only certs, rather than actual CPI.

> ..for that 
> you need a public key infrastructure of some kind (TLS with X.509 
> certificates is defined, but not used much for client authentication).

This is exactly what I had in mind when I made that recommendation for
the root registry. Registries are natural CAs, they just don't know it
yet.
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>