Mark Andrews <marka@xxxxxxx> writes: >> >>> Some people disagree with you and think DNSSEC is a viable PKI for their >> >>> intended use. These people want to use DNSSEC. We can give those people >> >>> an experimental RFC with OPENPGPKEY record, or we can force them to use >> >>> an individual submitted draft with a TXT record stalled until expiry. >> >> >> >> Or they can use the already specified CERT record, which GnuPG supports. >> > >> > You would still need to address the key lookup mechanism. One of the >> > reasons CERT failed for openpgp was the lack of binding between mailbox >> > and DNS. You did not know where to look for the CERT record. >> >> If I understand correctly, I believe section 3 of RFC 4398 discuss this: >> http://tools.ietf.org/html/rfc4398#section-3 >> >> In particular section 3.3 explains how a OpenPGP key for >> leslie@host.example would lead to a CERT record on the >> leslie.host.example domain. See >> http://tools.ietf.org/html/rfc4398#section-3.3 > > Which is very much part of the problem. RFC 103[45] have mbox names > which unfortunately causes namespace collisions. Usernames and > hostnames shouldn't be in the same namespace. RFC 4398 continues > to have that problem. I don't see that as a problem. To my knowledge, associating an OpenPGP key with a host is rare, and when it happens the usual best practice in the OpenPGP world has been to "invent" a email address like root@xxxxxxxxxxxxxxxx and put that in the OpenPGP key. So no collisions happen. Even if a collision would happen, it is not a show-stopper. You just put two CERT records at the same name. The client will need to have functionality to figure out which key out of several to use anyway. /Simon
Attachment:
signature.asc
Description: PGP signature