To:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
cc:
Key Distribution <keydist@cafax.se>
From:
Eric Rescorla <ekr@rtfm.com>
Date:
Wed, 12 Jun 2002 10:37:46 -0700
In-reply-to:
Your message of "Wed, 12 Jun 2002 13:27:00 EDT." <200206121727.g5CHR0M00792@marajade.sandelman.ottawa.on.ca>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
> >>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes: > Eric> Nearly all of the major IETF security protocols (TLS, IPsec, OpenPGP) > Eric> already have their own certificate discovery mechanism and therefore > > I guess I'm ignorant of them. > > Your email MTA, seems to be 198.144.203.251. I want to send you an IPsec > secured ping, where do I look for your key? > > If email MTA supported STARTTLS, where would I look to get a copy of the > certificate, other than inside the protocol? So, what you mean to say here is: "Aside from the place where I'm supposed to get certificates from, where am I supposed to get certificates from?" IKE and TLS both have slots in the protocols for the peers to pass out the certificates. That's how it's supposed to be done. There's no reason in either case for you go outside the protocol to get the key. In fact, in TLS it's impossible to do so because the server's certificate MUST be sent to the client as part of the handshake (aside from the anonymous DH cipher suites, that is...) > OpenPGP? > > marajade-[~] mcr 1032 %finger ekr@rtfm.com > finger: No address associated with hostname: rtfm.com What, you've never heard of key servers? -Ekr