RE: CERTificates and public keys

[Edward Lewis <lewis@tislabs.com>]

At 1:29 PM -0400 9/4/01, Loomis, Rip wrote:
>Is it then better to leave the current
>CERT record intact, or to deprecate it entirely
>in favor of APPKEY?  Personally I would prefer
>that there be only one type of record which DNS
>servers use to support "all the other keys" rather
>than having both CERT and APPKEY...it seems cleaner,
>and it allows DNS administrators (and implementors)
>to avoid worrying about the differences.  If it's
>a DNSSEC key for the zone, then it goes into a
>KEY RR.  If not, it goes into the other catch-all,
>and all the folks who want to do complicated neato
>whizbang things in applications can do those things
>outside of the DNS implementations.

What if...we create an CERT RR type (see RFC 2538) for "raw public key."
Then we would be effectively combining APPKEY and CERT into an already
documented RR.  The remaining problem would be to stuff the version number
and application identifier into the "raw" public key.

I think we'd end up complicating the CERT RR handling software as much as
adding a new RR.  So I'm not sure combining the two would work all that
well.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.