Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pekka Savola <pekkas@netcore.fi> writes:

> On Sat, 8 Jun 2002, Michael Richardson wrote:
>> >>>>> "Franck" == Franck Martin <franck@sopac.org> writes:
>>     Franck> I was wondering if the best system to build a global PKI wouldn't be the
>>     Franck> DNS system already in place?
>>
>>     Franck> The root servers would share the ROOT Certificates and would sign a
>>     Franck> certificate to each .org .com .net .fr,... managers of this
>>     Franck> domains...Which in turn would use these certificates to sign sub
>>     Franck> domains
>>     Franck> certificates...
>>
>> Please see the minutes from the "siked" BOF from #53... oops, none produced.
>>
>> http://www.ietf.org/ietf/02mar/siked.txt
>> and the mailing list at keydist@cafax.se.
>
> I think this was when Randy Bush (with Ops & Mgmt Area Director hat on)
> said that certificates will not be stored in DNS; keys.. if you really
> want, why not (but if you don't understand the difference between keys
> and certificates, be quiet).

Both public keys and certificates can already be stored in DNS; see
RFC 2535 and RFC 2538.  RFC 2535 is "editorially" updated to not
include the application public key support any more though.

Since this was CC:d to keydist: I think the keydist effort has been
superseded by reality.  Despite the FUD presented by certain
individuals that doesn't want keys/certs in DNS, people have already
started doing it and it works fine.  The only difference is that the
way people do it is not standardized.


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]