New addresses for b.root-servers.net

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mark Andrews wrote:

 >> If an end and another end directly share a secret
 >> key without involving untrustworthy trusted third
 >> parties, the ends are secure end to end.

 >> An untrustworthy but light weight and inexpensive (or free)
 >> PKI may worth its price and may be useful to make IP address
 >> based security a little better.

> Which you can do with DNSSEC but the key management will be enormous.

Which part of my message, are you responding? First part?

Though you might have forgotten, my initial proposal of DNSSEC
actually allows to use both public and shared keys.

Having hierarchical KDCs (Key Distribution Centers), instead
of hierarchical CAs, key management is not enormous.

Shared key is better than public key, because revocation
is instantaneous. Instead, root KDCs receive large amount
of requests. But, situation is similar to DNS root
servers today and is manageable.

Kerberos relies on KDCs.

However, the shared keys are shared by ends and intermediate
systems of KDCs, which is not end to end security.

						Masataka Ohta

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]