To:
Derek Atkins <warlord@MIT.EDU>
Cc:
Simon Josefsson <jas@extundo.com>, Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Fri, 31 Aug 2001 17:49:33 +0200 (MEST)
Delivery-Date:
Fri Aug 31 20:35:39 2001
In-Reply-To:
<sjmofowteye.fsf@rcn.ihtfp.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
On 31 Aug 2001, Derek Atkins wrote: > No, a CERT record is just a blob. It specifically states that the > 'certificate' portion of the RR is opaque to DNS and may contain > multiple parts. this is wrong. quoting the security considerations section of 2538: "By definition, certificates contain their own authenticating signature. Thus it is reasonable to store certificates in non-secure DNS zones or to retrieve certificates from DNS with DNS security checking not implemented or deferred for efficiency." jakob