RE: Global PKI on DNS?

[Franck Martin <Franck@sopac.org>]

The CERT extension to DNS allows to place there a URI, a URI is smaller than
a cert and stays in a udp packet.
The x509v3 extension allows you to place a URI to look for PKI and CRL, so
client are already able to deal with a lot of URIs (mainly http and ldap)

Now you are looking for a cert or public key of a site or e-mail, you query
the DNS that gives you the URI where to look for the PKI...

As someone said the main problem is S/MIME which does not have a protocol to
look for public keys globally, I think DNS can do the job...

There just need to be a little bit of coordination and an agreed mapping and
protocol to use DNS for a global PKI.

Franck Martin
Network and Database Development Officer
SOPAC South Pacific Applied Geoscience Commission
Fiji
E-mail: franck@sopac.org <mailto:franck@sopac.org>
Web site: http://www.sopac.org/
<http://www.sopac.org/> Support FMaps: http://fmaps.sourceforge.net/
<http://fmaps.sourceforge.net/>
Certificate: https://www.sopac.org/ssl/

This e-mail is intended for its addresses only. Do not forward this e-mail
without approval. The views expressed in this e-mail may not be necessarily
the views of SOPAC.



-----Original Message-----
From: Chris Evans [mailto:teknopup@bigvalley.net]
Sent: Thursday, 13 June 2002 4:46
To: David Conrad; Derek Atkins
Cc: Eric A. Hall; John Stracke; ietf; isdf@isoc.org; Key Distribution;
openssl-users@openssl.org
Subject: Re: Global PKI on DNS?


Then a global PKI protocol server needs to be invented so you can just get
the
certs from the domain in question.   i dont wanna see DNS system bogged down
by
this stuff. IMHOOC!

use dns to get the IP and request from its IP the pki doc.. duh.


6/11/02 6:51:26 PM, Derek Atkins <derek@ihtfp.com> wrote:

>David Conrad <david.conrad@nominum.com> writes:
>
>> Why do you think the roots and TLDs would get millions of TCP queries for
>> their certs?  Why would anyone want to get the certs of the roots or
tlds?