Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I see who you are talking about....

But I think it is a IETF pb to provide an informational RFC to provide a map between certificate DN and DNS namespace and to provide a mechanism to look at CERT and CRL Then it is an ICANN problem to implement on the root-servers and delegate to ohers...

>From reviewing the 2 RFCs (CERT and SIG) it appears that DNS protocol has all which is required now, but needs some structure and standardisation.

For instance:
In the certificate C= coult be root or the ccTLD or gTLD then O= could be the rest of the domain name
CN would be the hostname, e-mail address, name of a person (all belonging to the domain)

an X509 critical key would be use to limit the issue of certificates outside the domain name.

It is then easy to map the certificate to a CERT DNS entry by doing a DNS query for the CERT record to O=+C= domain.

The CERT DNS entry allows to use a URI, the URI would point:
1) to the certificate (http://www.sopac.org/ssl/sopac.crt)
2) to the CRL (http://www.sopac.org/ssl/sopac.crl)
3) to the OSCP?

(ldap could be used instead of http)

Lastly using 1) but adding certificate.html?ID=xxx You could retreive any certificate signed by 1) and then get the public key amongst other things...

This is a quick write up of ideas, which needs more thinking but,
1)it provides the mapping between certificates and DNS system
2)it is not heavy on the DNS because it answers a URI and not the certificate or key or whatever
3)it provides independent way to check CRL without the DNS TTL issue and caching....
4)http, ldap and DNS are well established protocols that are mostly enabled via firewalls.

Should such RFC be written?

Cheers.
franck@sopac.org

On Mon, 2002-06-10 at 01:57, Valdis.Kletnieks@vt.edu wrote: 
On Sun, 09 Jun 2002 21:36:08 EDT, Keith Moore said:
> > Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here.
> > The worms are out of the can, and I suggest anybody who wants to fight
> > this battle order at least a 4-sizes-larger can....
> 
> these particular worms are still in the can, and it's probably better 
> for everyone if they stay there.  

I stand corrected.  The company I was thinking of is in both lines of business,
but hasn't succeeded in actually equating them....

/Valdis
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]