That's exactly what thinking and that's a cool way to distribute PKeys.
About spoofing, I agree that vulnerable but it take a bit of work .
----- Original Message -----
From: "Sergey Babkin" <babkin(_at_)bellatlantic(_dot_)net>
Sent: Thursday, September 11, 2003 8:27 PM
Subject: Proposal to use DNS as public key repository
I think that I've found an easy way to distribute the public keys:
put them into DNS. The records would look like:
<entity-name> IN PKEY <key-type>:<key-value>
babkin.-at-.bellatlantic.net IN PKEY "ssh1:1024 37
(I'm not quite sure yet if the values can be in quotes and if
the spaces and other funny characters are allowed - but such things
are solvable by some sort of escape sequences).
To allow changing the keys without disruption, allow multiple
PKEY records for an entity, and accept a match to any of them.
Of course it would be only as secure as difficult it is to spoof DNS,
so you probably won't want to use it for login information. But
it's still adequate for less demanding application, such as
signing e-mail or establishing the identity of the SMTP servers.