RE: [ga] Secure DNS

["Roeland M.J. Meyer" <rmeyer@mhsc.com>]

> From: Dave Crocker [mailto:dhc2@dcrocker.net]
> Sent: Tuesday, September 19, 2000 9:14 AM
> 
> At 08:01 PM 9/18/00 +0200, Harald Alvestrand wrote:
> >Not the best place to hash this out....but TLS tells you 
> only that it's 
> >hard to interfere with the transmission, not who it came 
> from....for that 
> >you need a public key infrastructure of some kind (TLS with X.509 
> >certificates is defined, but not used much for client 
> authentication).
> 
> once a private channel is established by TLS, simple password 
> exchange 
> would be sufficient for authentication.  Public key-based 
> certs would not 
> be need, no?

You've missed the fact that you need the PK cert to establish the secure
channel in the first place. Once established, you don't need to transmit
customer proprietary information (CPI) because a pin number (index) will
do. That was the original intent of TLS, to not require the merchant to
have CPI other than the key and the pin (taken from the card). That way
they don't have to have the CC number. That this has other uses that we
may take advantage of is a fortuitous design issue. Yes, authentication
is inherent in PK cryptography, anyone using SSH knows that. The hosts
are authenticated using PK and the user is authenticated using either
uuid/passwd or certs. One can also look at Kerboros for similar schemes.
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html