On Fri, 3 Dec 2004, william(at)elan.net wrote:
Also personally I think that good authorization may involve trying to use
fingerprints (as with IIM) with DNS, but not the way IIM wants to do
it by putting fingerprint in the FQDN but instead just directly putting
fingerprint data inside DNS RDATA. For initial testing we can just reuse
AAAA records which are 128bit (and fingerprint in IIM is 96bit) and for
future define new record type.
I also looked around and found that there is an ID proposing record type
for fingerprints (specifically for SSH), I believe same record will work
for what we need:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-dns-05.txt
And they actually already got RR type number issued - its 44
So in this case authorization expression
would be very simple:
URL("dns:fp1._kr.example.com?type=AAAA")=={f/8}
And example of dns record for fingerprint could be:
fp1._kr.example.com. IN AAAA ::073F:DD7D:D6D6:EF6D:1413:FD7B:3C57:7EFC
Maybe above is a bit too simple and we do need more data as part of the
authorization then just the fingerprint itself but in my view its enough
for intitial deploment and this is pretty damn simple to implement and
almost everyone now allows their customers to add "AAAA" records, so it
should be possible to deploy it with no problems (though I suspect dns
people may not be super happy about having AAAA records reused in this
way even if its done for very specific prefix).
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/