To:
Jakob Schlyter <jakob@crt.se>
Cc:
Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Derek Atkins <warlord@MIT.EDU>
Date:
04 Sep 2001 16:47:02 -0400
In-Reply-To:
Jakob Schlyter's message of "Tue, 4 Sep 2001 22:21:40 +0200 (MEST)"
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
Jakob Schlyter <jakob@crt.se> writes:
> the application knows what it's looking for. if I'm trying to look up a
> X.509 certificate, I'll use CERT. if I'm trying to look up a raw ssh host
> key or a IPsec/IKE host key, I'll use APPKEY. my trust model probably also
> depends on what kind of information I ask for, if the answer was signed
> and if it had it's signature as well.
An application can just as easily look for a CERT record as it can
look for an APPKEY record. However, maintaining the records is easier
if there is only one. If you want to reuse keying information it is
much easier if you have only one record.
Yes, an application knows what it's looking for. SSH, for example,
could lookup a CERT record, look for the 'SSH Key' certificate type,
and then know that, gee, this is a raw key (because SSH doesn't do
certificates).
> jakob
-derek
PS: I've currently working on software to use DNSSec for key
distribution, and honestly I want one record type to look for. It
makes it much easier to write a 'getkeybyname()' library function when
you have a single query-type.
PPS: People should stop thinking that the 'CERT RR' necessarily
requires a "Certificate". We can define additional 'Certificate
Types' that can store any kind of keying information we want.
PPPS: Perhaps we should rev CERT to provide an additional
application-type flag?
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available