[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of DNS to distribute keys



Brad,

I have been chewing similar thoughts for some time now, and I think that there
are at least two major problems for mapping "security info" (PEM certificates)
directly inside the DNS:

- First, security info is generally based on "descriptive naming" -- white
page like, user friendly, etc. One could question the particular PEM choice of
using X.509 formatting, object identifiers, ASN.1, rather than e.g. comma
separated text strings; but the fact remains that security mandates "clear
identification" rather than DNS like acronyms. Refer to any of Steve Kent's
messages on this subject (e.g. recent communication to INET-93) for a complete
discussion.

- Second, security information, if seriously taken, requires long keys, e.g.
1024 bits. A certicate includes two full names, one key info and one
signature; this is probably very often more than the canonical 512 octets
payload limit of a datagram. As a side effect, this also poses some problems
of "caching size" -- like letting it grow by two orders of magnitude.

The idea of developing an application that would parallel the DNS is thus very
appealing. In particular, it should be possible to build up on the particular
nature of PEM certificates: they contain a complete naming information, and
they are "sealed", thus enabling riskless duplication. We will indeed need
"glue" between this application and the DNS, e.g. "domain certificates" linking
a white page and a domain name, or maybe specific "security server"
informations.

Christian Huitema


Follow-Ups: References: