To:
Pekka Savola <pekkas@netcore.fi>
Cc:
Michael Richardson <mcr@sandelman.ottawa.on.ca>, Franck Martin <franck@sopac.org>, <keydist@cafax.se>, <openssl-users@openssl.org>, <ietf@ietf.org>, <isdf@isoc.org>
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Sun, 09 Jun 2002 03:54:32 +0200
In-Reply-To:
<Pine.LNX.4.44.0206082128210.15993-100000@netcore.fi> (PekkaSavola's message of "Sat, 8 Jun 2002 21:31:14 +0300 (EEST)")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090007 (Oort Gnus v0.07) Emacs/21.2.90(i686-pc-linux-gnu)
Subject:
Re: Global PKI on DNS?
Pekka Savola <pekkas@netcore.fi> writes: > On Sat, 8 Jun 2002, Michael Richardson wrote: >> >>>>> "Franck" == Franck Martin <franck@sopac.org> writes: >> Franck> I was wondering if the best system to build a global PKI wouldn't be the >> Franck> DNS system already in place? >> >> Franck> The root servers would share the ROOT Certificates and would sign a >> Franck> certificate to each .org .com .net .fr,... managers of this >> Franck> domains...Which in turn would use these certificates to sign sub >> Franck> domains >> Franck> certificates... >> >> Please see the minutes from the "siked" BOF from #53... oops, none produced. >> >> http://www.ietf.org/ietf/02mar/siked.txt >> and the mailing list at keydist@cafax.se. > > I think this was when Randy Bush (with Ops & Mgmt Area Director hat on) > said that certificates will not be stored in DNS; keys.. if you really > want, why not (but if you don't understand the difference between keys > and certificates, be quiet). Both public keys and certificates can already be stored in DNS; see RFC 2535 and RFC 2538. RFC 2535 is "editorially" updated to not include the application public key support any more though. Since this was CC:d to keydist: I think the keydist effort has been superseded by reality. Despite the FUD presented by certain individuals that doesn't want keys/certs in DNS, people have already started doing it and it works fine. The only difference is that the way people do it is not standardized.