To:
Jakob Schlyter <jakob@crt.se>
Cc:
<Ted.Lindgreen@tednet.nl>, Dan Massey <masseyd@isi.edu>, <dnssec@cafax.se>
From:
Simon Josefsson <simon@josefsson.org>
Date:
19 Apr 2001 16:03:48 +0200
Delivery-Date:
Fri Apr 20 07:49:24 2001
In-Reply-To:
<Pine.BSO.4.33.0104191544430.6456-100000@fonbella.crt.se> (Jakob Schlyter's message of "Thu, 19 Apr 2001 15:48:43 +0200 (CEST)")
Sender:
owner-dnssec@cafax.se
User-Agent:
Gnus/5.090003 (Oort Gnus v0.03) Emacs/21.0.102
Subject:
Re: Keys at apex problem
Jakob Schlyter <jakob@crt.se> writes: > > I've written a draft to specify location of CERT RR's (which updates > > RFC2538 owner name guideliness), and I looked for similar drafts on > > KEY locations but didn't find any. > > I'm also writing on a draft specifying on the naming CERT RR's for > PGP-keys, also an update to 2538. perhaps we should merge our work? Oops. Mine is focused on X.509 though. You'll find a (temporary) copy at http://josefsson.org/draft-josefsson-pkix-dns.txt. I'll submit it to the ID editor nowish. (Note that this draft ignores the problem discussed here.) > > IMHO the simplest thing would be to say that KEY is only used for > > DNSSEC internally, and other applications should use CERT (it's easy > > to define a CERT SSH type), and the CERT standard should also be > > separated from the DNSSEC standard because it really doesn't depend on > > it. Perhaps, I dunno. > > a key is not a cert as a cert is a different kind of animal. the key is > just the raw key, nothing more. Yes. But given the option of a new PUBKEY RR and using CERT RR's for unsigned public keys, I would chose the latter. The CERT RR already support non-certificate structures (CRLs), so this isn't such a far fetched idea IMHO.