In message <87r3looxjg.fsf@xxxxxxxxxxxxxxxxxxx>, Simon Josefsson writes: > --=-=-= > Content-Type: text/plain > Content-Transfer-Encoding: quoted-printable > > Mark Andrews <marka@xxxxxxx> writes: > > >> >>> Some people disagree with you and think DNSSEC is a viable PKI for t= > heir > >> >>> intended use. These people want to use DNSSEC. We can give those peo= > ple > >> >>> an experimental RFC with OPENPGPKEY record, or we can force them to = > use > >> >>> an individual submitted draft with a TXT record stalled until expiry. > >> >> > >> >> Or they can use the already specified CERT record, which GnuPG suppor= > ts. > >> > > >> > You would still need to address the key lookup mechanism. One of the > >> > reasons CERT failed for openpgp was the lack of binding between mailbox > >> > and DNS. You did not know where to look for the CERT record. > >>=20 > >> If I understand correctly, I believe section 3 of RFC 4398 discuss this: > >> http://tools.ietf.org/html/rfc4398#section-3 > >>=20 > >> In particular section 3.3 explains how a OpenPGP key for > >> leslie@host.example would lead to a CERT record on the > >> leslie.host.example domain. See > >> http://tools.ietf.org/html/rfc4398#section-3.3 > > > > Which is very much part of the problem. RFC 103[45] have mbox names > > which unfortunately causes namespace collisions. Usernames and > > hostnames shouldn't be in the same namespace. RFC 4398 continues > > to have that problem. > > I don't see that as a problem. People don't usually look at the set of hostnames before assigning a user id and the reverse is also true. Who gets change control on the resulting domain name when there is a collision? The user or the host? > To my knowledge, associating an OpenPGP key with a host is rare, and > when it happens the usual best practice in the OpenPGP world has been to > "invent" a email address like root@xxxxxxxxxxxxxxxx and put that in the > OpenPGP key. So no collisions happen. > > Even if a collision would happen, it is not a show-stopper. You just > put two CERT records at the same name. The client will need to have > functionality to figure out which key out of several to use anyway. And what about all the other record types? > /Simon > > --=-=-= > Content-Type: application/pgp-signature; name="signature.asc" > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBCAAGBQJWA+EzAAoJEIYLf7sy+BGd3T0H/3zBklWxdB8p4b6SlW1XOgsP > Omf9xVTsfxM5BawWHvhDHjum3pGL3JPbJbl1VGfeC0I3JCY9RUSzH3mI9Z4/2FgJ > gkwwvTresagG7zeU46+Z0Btikd3sIN+EL1KWIlwjVPkH4Pncghoy6/PItCcPtzuS > jU8l9+HQT+Y2OPNOTHAx6CGOh99UQSujvj0iafUbFug/U4hxbTzX1GHDS+m8xwxO > 8taWkt9enul3spyRv1D/29Qoyus66snEWvPKQWYuwynToe2xxhmFjyUB8ocZAA1m > zVtCmsGFNBbC2VYGJvpwHKms/CLwtkaWZBwQkEngte2N6JKRi4sBjmGHoSSRzZ4= > =IuMd > -----END PGP SIGNATURE----- > --=-=-=-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx