Torvalds:requiring root password for mundane things is moronic
Paul Wouters
pwouters at redhat.com
Thu Mar 1 04:24:35 UTC 2012
On Thu, 1 Mar 2012, Giovanni Campagna wrote:
> The same protections should be used, that is DNSSEC and end-to-end
> authentication (SSH, TLS). This still leaves the real mdns area
> unprotected, but this is to be expected, and it's just an UI issue
> (that could be resolved once network zones land).
One good use that can be made with DNSSEC is that you can broadcast
you security chain from DNSSEC.
My laptop can announce itself as pwouters.redhat.com. It will announce the
DNS chain from com to redhat.com to pwouters.redhat.com. The other person,
let's say john.foobar.com produces the DNS chain from com to foobar.com
to john.foobar.com. Now each party can, with just the preloaded root
dns key, obtain a cryptographic identity based on a simple identifier
(hostname). We can connect our laptops, or phones, simply by saying
"my laptop is pwouters.redhat.com". We could even do this without having
any internet connection, exchange public keys, and setup an IPsec tunnel
between our machines/phones, and only then transfer our personal data.
We only need some people to write and submit an IETF draft for this :)
(AFAIK, people were already working on standarising dnssec blobs for
use in embedding them in certificates, eg Adam Langley and Dan
Kaminsky)
Paul
More information about the devel
mailing list