Re: [resend] Use of DNS to distribute keys

[kaufman@zk3.dec.com]

This discussion came late to pem-dev, and it could be I'm missing some
crucial context.  But let me throw in some thoughts:

1) There is little to be gained by storing certificates of on-line
entities in DNS because it is just as easy to ask the entity for its
certificate(s).  Part of the process of upgrading a system to support
authentication could be to install a simple little service (or
modifying some existing one) to return certificates on demand.

but...

2) If you wanted to store certificates in DNS and were concerned about
their length, be aware that certificates are big only because their
designers had no motivation to make them small.  The critical
information in a certificate is a public key (which for 512 bit RSA and
a fixed public exponent could be 64 bytes), a signature (also 64
bytes), and an expiration (which could be two bytes if people were
ambitious).  The signature must be computed over the name being
certified but since that is encoded elsewhere need not be stored as
part of the certificate.  This encoding excludes ASN.1 encodings and
object identifiers for compatibility for future designs.  DNS could
handle 130 bytes and even a few more for some measure of future
migration and additional features.  As noted in (1), I don't think this
is necessary, but if this were all that were standing in the way of an
otherwise sound scheme, it could be done.

	--Charlie
	(kaufman@zk3.dec.com)

---

Follow-Ups:

• Re: [resend] Use of DNS to distribute keys
• From: "Perry E. Metzger" <pmetzger@lehman.com>

---

• Prev by Date: Re: [resend] Use of DNS to distribute keys
• Next by Date: draft spec and pilot implementation
• Prev by thread: Re: [resend] Use of DNS to distribute keys
• Next by thread: Re: [resend] Use of DNS to distribute keys
• Index(es):
  • Main
  • Thread