[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [resend] Use of DNS to distribute keys

To: pem-dev@tis.com, ipsec@ans.net, namedroppers@nic.ddn.mil
Subject: Re: [resend] Use of DNS to distribute keys
From: "Perry E. Metzger" <pmetzger@lehman.com>
Date: Fri, 17 Sep 1993 17:40:52 -0400
In-Reply-To: Your message of "Fri, 17 Sep 1993 16:30:10 EDT." <9309172030.AA22224@abyss.zk3.dec.com>
Reply-To: pmetzger@lehman.com


kaufman@zk3.dec.com says:
> This discussion came late to pem-dev, and it could be I'm missing some
> crucial context.  But let me throw in some thoughts:
> 
> 1) There is little to be gained by storing certificates of on-line
> entities in DNS because it is just as easy to ask the entity for its
> certificate(s).

But HOW do you ask the entities for their certificates? DNS is a nice
existing mechanism by which you can do the asking.

> 2) If you wanted to store certificates in DNS and were concerned about
> their length, be aware that certificates are big only because their
> designers had no motivation to make them small.  The critical
> information in a certificate is a public key (which for 512 bit RSA and
> a fixed public exponent could be 64 bytes), a signature (also 64
> bytes), and an expiration (which could be two bytes if people were
> ambitious).

Make it into a 1024 bit key, the minimum you need for real security,
add a signature, add IDENTITY information on the key and signature,
and you are pushing over the line.

Perry

Follow-Ups:

Re: [resend] Use of DNS to distribute keys

From: Masataka Ohta <mohta@necom830.cc.titech.ac.jp>

References:

Re: [resend] Use of DNS to distribute keys

From: kaufman@zk3.dec.com

Prev by Date: draft spec and pilot implementation
Next by Date: Re: draft spec and pilot implementation
Prev by thread: Re: [resend] Use of DNS to distribute keys
Next by thread: Re: [resend] Use of DNS to distribute keys
Index(es):
- Main
- Thread