To:
GILBERT.R.LOOMIS@saic.com
Cc:
jakob@crt.se, warlord@MIT.EDU, scottr@antd.nist.gov, dnssec@cafax.se
From:
Havard Eidnes <he@uninett.no>
Date:
Wed, 05 Sep 2001 12:51:43 +0200 (CEST)
In-Reply-To:
<3C1E3607B37295439F7C409EFBA08E680E267F@col-581-exs01.cist.saic.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
Hi, I agree that using KEY for non-DNS key material is a bad idea, as you stated. > Is it then better to leave the current > CERT record intact, or to deprecate it entirely > in favor of APPKEY? Personally I would prefer > that there be only one type of record which DNS > servers use to support "all the other keys" rather > than having both CERT and APPKEY...it seems cleaner, > and it allows DNS administrators (and implementors) > to avoid worrying about the differences. A key is not a certificate, and a certificate is not a key. I think it would be a good idea to keep this distinction, and not cause even more needless confusion over this issue by trying to use only one RR type for both kinds of data. Therefore, I would like to se CERT kept with its current meaning, and a new RR (APPKEY) be created for "raw key material which relies on DNSSEC for authenticity and integrity verificaiton". Regards, - Håvard