To:
Keith Moore <moore@cs.utk.edu>
cc:
<keydist@cafax.se>
From:
Greg Hudson <ghudson@MIT.EDU>
Date:
Thu, 10 Jan 2002 20:09:31 -0500 (EST)
In-Reply-To:
<200201101425.g0AEPti01660@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: RESCAP/RC: an alternative to key distribution using DNS
On Thu, 10 Jan 2002, Keith Moore wrote: > seems quite reasonable to me, with the possible exception of shoehorning > a key fingerprint onto NAPTR. But you can certainly store material in > RESCAP which allows it to be securely tied to DNSSEC. I'm a little leery of this approach; it means that the same private key has to be used to sign both DNS and non-DNS data. Maybe that's okay, but it sounds like a violation of (There are, of course, other in-DNS approaches besides shoehorning a key fingerprint into NAPTR; for example, we could define a key-fingerprint RR type analagous to the KEY RR type.)