To:
Simon Josefsson <simon@josefsson.org>
Cc:
<Ted.Lindgreen@tednet.nl>, Dan Massey <masseyd@isi.edu>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Thu, 19 Apr 2001 15:48:43 +0200 (CEST)
Delivery-Date:
Thu Apr 19 20:31:01 2001
In-Reply-To:
<iluoftthwcr.fsf@barbar.josefsson.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem
On 19 Apr 2001, Simon Josefsson wrote: > Are there really any specs to specify location of KEY's for a host? not really, but > I've written a draft to specify location of CERT RR's (which updates > RFC2538 owner name guideliness), and I looked for similar drafts on > KEY locations but didn't find any. I'm also writing on a draft specifying on the naming CERT RR's for PGP-keys, also an update to 2538. perhaps we should merge our work? > I think the location of a KEY record for a host has been simply > assumed by everyone to be the DNS hostname. Anything else would be > weird, but this thread shows that the obvious solution has its > problems as well. it would be nice if the obvious solution worked. > What would PUBKEY do that KEY can't do? Three ways of doing roughly > the same thing - KEY, CERT and PUBKEY - seems a little bit too much. PUBKEY could separate DNSSEC infrastructural keys from applications keys. > IMHO the simplest thing would be to say that KEY is only used for > DNSSEC internally, and other applications should use CERT (it's easy > to define a CERT SSH type), and the CERT standard should also be > separated from the DNSSEC standard because it really doesn't depend on > it. Perhaps, I dunno. a key is not a cert as a cert is a different kind of animal. the key is just the raw key, nothing more. /Jakob -- Jakob Schlyter <jakob@crt.se> Network Analyst Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology