Re: CERTificates and public keys

[Edward Lewis <lewis@tislabs.com>]

At 4:47 PM -0400 9/4/01, Derek Atkins wrote:
>PPS: People should stop thinking that the 'CERT RR' necessarily
>requires a "Certificate".  We can define additional 'Certificate
>Types' that can store any kind of keying information we want.
>
>PPPS: Perhaps we should rev CERT to provide an additional
>application-type flag?

The problem with this line of reasoning is that is raises the problem of
subtyping.

What is subtyping?  This refers to the overloading of an DNS RR type to
hold different kinds of data.  According to one person (a name I know, but
won't make public here), the history of subtyping in DNS has lead to
problems.[1]  In more recent times, we have tried to subtype the KEY RR -
and we see where that has gotten us - which is the first time I have seen
the "sting" of subtyped records.

It seams to me that we want to keep the scope of records small.  The CERT
RR is lightweight because is assumes a lot of work already went into the
making of the certificate.  An APPKEY RR needs to be heavier (as in having
more fields) to make up for the fact that the payload is just a public key.

[1]  Yes, this is a weak statement.  I will make a note of trying to get
more details on the "failures."

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.