Yakov Shafranovich wrote:
I read over RFC 2538 which specifies a way for digital certificates to be
stored in the DNS system. The RFC seems to support both X.509 and PGP
certs. Could the method defined in that RFC be used to verify a sender's
identity by storing his certificate in the DNS for the originating domain?
Unfortunately, the DNS based CERT storage system proposed in RFC2538 is
not efficient for lookups if the type, key tag, or algorithm fields are
used as part of the lookup. That is because those fields are in the data
returned for a lookup, not the (DNS name) lookup key. So if John Q Public
has several CERTs, anyone needing a particular one will need to retrieve
them all to find the one with the correct type, key tag, and/or algorithm
fields.
The problem can be overcome by encoding the CERT selection information as
sub-domain labels to the FQDN for John Q Public. DRIP does something like
this to check for designation records for SMTP transactions. See
http://ietf.org/internet-drafts/draft-brand-drip-00.txt
Raymond S Brand
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg