Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bill Sommerfeld wrote:
>>	As others have pointed out, the DNS already has the capability
>>	to store certs.  So you could use the DNS as a publication
>>	method.  But is this the only thing a PKI needs?  How would
>>	one revolke a cert that was in the DNS?  How can you update
>>	-every- cached copy of the cert in question?
>
>
> you don't need to.  there are in general two options for this sort of
> thing:
>
>   1) short lived certs
>   2) CRL's published at regular intervals.
>
> both involve a regularly-signed short-lived objects.

Errr - OCSP?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux