To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Tue, 08 Jan 2002 12:56:09 -0500
In-reply-to:
Your message of "Mon, 07 Jan 2002 13:20:33 PST." <p0510100fb85fc0ef41d7@[165.227.249.20]>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "IMC" == IMC <Paul> writes:
IMC> It appears that this discussion has more-than-tangentially been about
IMC> passing around those blobs in the DNS protocol. A bare public key can
IMC> be probably fit in the 512-octet limit that most people put on DNS
IMC> under UDP; a typical PKIX certificate probably cannot. So the choice
IMC> of the blob is in fact important for this discussion.
Yes, that is true. If we want to make this a requirement, then I guess we
should write this down.
A raw 2048 bit RSA key is 1byte (length of exponent)
exponent - usually 1 byte.
public key
So it is 2+256 bytes in length. With overhead, you might even fit 2 public
keys in 576, but I'd have to add it up.
This is the major argument for not doing RR-subtyping - if you can get
precisely what you want back, then you don't have a huge reply, even if there
are two keys due to key rollover.
If you don't do RR subtyping, then we need a RR for each type of key that
wishes to be stored in DNS. There are about 200 left. Not so many that we
should throw them away frivolously, but not so few that we can't afford to
think about this.
I think that this is the main issue: do we burn a RR per use.
If we do, then it doesn't matter what goes in - they will have to be
documented seperately anyway.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPDsyuIqHRg3pndX9AQEE7wP/a2l6C60ZD8KFJjuM91dvjMu3NrQSp+Gs
QJ95CQKkJQPVWeaPylpmfiH4knEaxvc0x7caW9drLpn4xgpTQZsNSHV5fFHld83v
J6bTLUXb2j4qrMkFzb7qpeYQfJrfpMk9OgoixRDICd1oqGCVaklsZxGZWKRFoiNZ
e0KM3SOnZB8=
=r6/S
-----END PGP SIGNATURE-----