To:
Derek Atkins <warlord@MIT.EDU>
Cc:
Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Tue, 4 Sep 2001 22:21:40 +0200 (MEST)
In-Reply-To:
<sjmvgiyrdql.fsf@rcn.ihtfp.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
On 4 Sep 2001, Derek Atkins wrote: > It would be less confusing than having to have each app decide whether > it's looking for a 'Cert' or 'Appkey' record when it wants to look for > a key in the DNS. Having a single place to look is a Good Thing (TM). speaking as one of the few people who has actually written software that uses DNSSEC for application security, both KEY and CERT, I must say this is wrong. the application knows what it's looking for. if I'm trying to look up a X.509 certificate, I'll use CERT. if I'm trying to look up a raw ssh host key or a IPsec/IKE host key, I'll use APPKEY. my trust model probably also depends on what kind of information I ask for, if the answer was signed and if it had it's signature as well. jakob