To:
Paul Hoffman / IMC <phoffman@imc.org>
Cc:
keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
08 Jan 2002 13:56:09 -0500
In-Reply-To:
Paul Hoffman / IMC's message of "Tue, 8 Jan 2002 10:18:41 -0800"
Sender:
owner-keydist@cafax.se
Subject:
Re: Definitions of keys and certs
Paul Hoffman / IMC <phoffman@imc.org> writes:
> At 10:19 PM -0500 1/7/02, Derek Atkins wrote:
> >While technically true, generally 'certificate' implies a single blob.
> >In the case of a 'bare public key that you will only trust if you
> >trust a public key that has signed it', at least in the case of
> >DNSSEC, is not a certificate in the conventional sense of the word
> >because the KEY and SIG are separable blobs. Which cryptographically
> >this may be considered a certificate, operationally it is far from it.
>
> Right: operationally they are larger and often take two round trips
> instead of one to deliver. This is a feature?
Why would they take two round trips to deliver? The DNSSEC spec
states that the SIG (and NXT) records should be returned along
with the original data. In other words, you make a request for:
sshhost.my.site. IN <KeyrecordType>
and you get back:
sshhost.my.site. IN <KeyrecordType> [KEY DATA]
IN SIG [SIG KEYDATA]
IN NXT ...
IN SIG [SIG NXT]
All this happens in one round-trip. Where do you see two round trips
(unless it really does need to fall back to TCP, but quite honestly
unless KEY DATA is really huge (like an X.509 certificate!) it should
fit just fine in a single UDP datagram (c.f. KEY records).
> --Paul Hoffman, Director
> --Internet Mail Consortium
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available