Re: CERTificates and public keys

[Ólafur Guðmundsson <ogud@ogud.com>]

At 04:00 PM 9/6/2001, Edward Lewis wrote:
>At 2:25 PM -0400 9/6/01, Ólafur Guðmundsson wrote:
> >DNS lesion: sub typing is BAD BAD BAD,
>
>Please, please elaborate.  I, for one, have been repeating this yet have
>never had anyone supply me with a truely horrible tale of woe.  I don't
>doubt your words but I need more than folklore to justify work.


Number of examples,
   multiple uses of one type may lead to large rrsets
   applications ask for a type but do not understand the contents of it.
   hard to create an API without using unions (in C)

Best example is the SIG record it is impossible to ask for SIG_DSA(SOA)
without getting all the other SIG's
KEY and CERT expose applications that ask for them to information that
the application does not know how to interpret or use.

DNS should provide applications with exactly the data that the
application wants. (not application above refers to any entity
originating a DNS query, including DNS servers/resolvers).
Just because an application wants an address for a host we have not
put IPv4, X.25, AAAA and A6 address into one record type,
this is good even though there in some cases multiple queries are required.



> >I, in general do not see any problem with having both APPKEY and CERT
> >records for use by applications as long as the goal is for each
> >application to use ONLY ONE of the two. But there will be applications
> >like IPSEC where CERT is specified but people will try to escape from
> >the extortion/certificate authorities thus migrating to APPKEY.
>
>Isn't it up to the application to do what it wants?  (Why should DNS care?)
>I have no problem recommending that an application designer stick to just
>one, but beyond that we voyaging beyond the scope of the DNS(sec).

I could not have put it better myself, DNS is a service carries opaque
data, but we need to provide applications with data types that are
useful for them.

         Olafur