[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Derek Atkins <warlord@MIT.EDU>
Cc: Simon Josefsson <jas@extundo.com>, Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From: Jakob Schlyter <jakob@crt.se>
Date: Fri, 31 Aug 2001 17:49:33 +0200 (MEST)
Delivery-Date: Fri Aug 31 20:35:39 2001
In-Reply-To: <sjmofowteye.fsf@rcn.ihtfp.org>
Sender: owner-dnssec@cafax.se
Subject: Re: CERTificates and public keys

On 31 Aug 2001, Derek Atkins wrote:

> No, a CERT record is just a blob.  It specifically states that the
> 'certificate' portion of the RR is opaque to DNS and may contain
> multiple parts.

this is wrong. quoting the security considerations section of 2538:

"By definition, certificates contain their own authenticating signature.
Thus it is reasonable to store certificates in non-secure DNS zones or to
retrieve certificates from DNS with DNS security checking not implemented
or deferred for efficiency."


	jakob


Home | Date list | Subject list