Hi Sergey, That's exactly what thinking and that's a cool way to distribute PKeys. About spoofing, I agree that vulnerable but it take a bit of work . Cheers, Fritz. ----- Original Message ----- From: "Sergey Babkin" <babkin@bellatlantic.net> To: <ietf@ietf.org> Sent: Thursday, September 11, 2003 8:27 PM Subject: Proposal to use DNS as public key repository > Hello, > > I think that I've found an easy way to distribute the public keys: > put them into DNS. The records would look like: > > <entity-name> IN PKEY <key-type>:<key-value> > > for example: > > babkin.-at-.bellatlantic.net IN PKEY "ssh1:1024 37 1550134074134018781239180842531603373454309268407729175684597284860789522776 765036113307635696866211228019143858148231273490 > 0409232249203691951375403439093052348271870888610552603391036369046162012289 05551802270012860844892213877621509748539922264245295221 > 03235374785283586385586920281234566901122551897435633" > > (I'm not quite sure yet if the values can be in quotes and if > the spaces and other funny characters are allowed - but such things > are solvable by some sort of escape sequences). > > To allow changing the keys without disruption, allow multiple > PKEY records for an entity, and accept a match to any of them. > > Of course it would be only as secure as difficult it is to spoof DNS, > so you probably won't want to use it for login information. But > it's still adequate for less demanding application, such as > signing e-mail or establishing the identity of the SMTP servers. > > -SB > >