To:
dnssec@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Tue, 4 Sep 2001 20:50:02 -0400
In-Reply-To:
<200109042214.f84MEnR07083@east.east.isi.edu>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
At 6:14 PM -0400 9/4/01, Allison Mankin wrote: >I read RFC2538 as admitting a use like this one. The >breadth of the type field and the IANA considerations show >that varied uses of the CERT record are expected. > >Also I find that this discussion is in the weeds when many >folks here are giving opinions that because it's a "CERT", >it must be X.509 or have a CA. A member of the Security Mafia :) >(Derek) has told us otherwise... I think the following passage is why I and others feel that the CERT is for publishing products of the Security Mafia: #6. Security Considerations # # By definition, certificates contain their own authenticating # signature. Thus it is reasonable to store certificates in non-secure # DNS zones or to retrieve certificates from DNS with DNS security # checking not implemented or deferred for efficiency. Perhaps we (Jakob? ;)) should try to document APPKEY as a certificate format, with algorithm and tag fields being zero. If we pursue this, we should revise 2538 to change section 6. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.