Bill Sommerfeld wrote: >> As others have pointed out, the DNS already has the capability >> to store certs. So you could use the DNS as a publication >> method. But is this the only thing a PKI needs? How would >> one revolke a cert that was in the DNS? How can you update >> -every- cached copy of the cert in question? > > > you don't need to. there are in general two options for this sort of > thing: > > 1) short lived certs > 2) CRL's published at regular intervals. > > both involve a regularly-signed short-lived objects. Errr - OCSP? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff