To:
<mankin@isi.edu>
Cc:
Simon Josefsson <simon+dnssec@josefsson.org>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Wed, 5 Sep 2001 12:48:55 +0200 (MEST)
In-Reply-To:
<200109042214.f84MEnR07083@east.east.isi.edu>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
On Tue, 4 Sep 2001, Allison Mankin wrote: > For the right need, nothing, but a new RR means passing another spec > through the standards process (and the IESG, where there be dragons), > as well as extending the implementations. the dragons is a good thing as they will prevent bad things from entering the standard dungeon. > I read RFC2538 as admitting a use like this one. The breadth of the > type field and the IANA considerations show that varied uses of the > CERT record are expected. on the contrary, nothing in 2538 shows that it is indended for other uses than certificates. > Also I find that this discussion is in the weeds when many folks here > are giving opinions that because it's a "CERT", it must be X.509 or > have a CA. A member of the Security Mafia :) (Derek) has told us > otherwise... a CERT does not have to be X.509 nor have a CA - it must carry its own authenticating signature. we could choose to change that requirement, but then we wouldn't, IMHO, have a certificate stored inside the CERT. jakob