On Sun, 31 Jul 2005, Earl Hood wrote:
http://ftp.sayclub.com/pub/ietf/concluded-wg-ietf-mail-archive/pem/
<http://www.mhonarc.org/archive/html/pem-dev/>.
Thank you very much for making searchable archive available.
The raw data had some malformed email data (nothing to major), so
hopefully I caught and fixed most of the problems.
It appears a search for "DNS key" gives plenty of hits.
Yes, it appears I greatly underestimated their consideration of dns - 210
hits total (but many are because of use DNs where DN stands for
"distinguished name" as in x509). I'll list below some of the more
interesting dns related posts:
-------------------------------------------------------------------
http://www.mhonarc.org/archive/html/pem-dev/1993-09/msg00012.html
"Subject: Re: [resend] Use of DNS to distribute keys
...
> > Key certificates are
> > generally too big and clunky to be in DNS but public keys would work
> > fine. There is no reason for the keys stored in DNS to be embedded in
> > a certificate because you can use secure communication with the DNS
> > server based on the key from the next highest level in the DNS
> > hierarchy. ... Caching keys is kind of like caching IP address info."
There is a lively thread after that message discussing dns and public
key retrieval - about 20 messages. That was from 1993 btw!
-------------------------------------------------------------------
http://www.mhonarc.org/archive/html/pem-dev/1995-01/msg00277.html
"from [Donald E. Eastlake 3rd (Beast)]
Subject: Names, certificates, etc. (was Re: DNs, boomerangs, and
other Revealed Truths )
Date: Tue, 31 Jan 95 14:57:20 -0500
...
Hi everyone,
I don't contribute much to this list but I thought I'd throw in my
$0.02 worth.
...
| What is missing from PEM's point of view is the final step that maps the
| found e-mail address to a public key. I believe it is fruitless to try to
| modify whois, netfind, X.500, etc, to do this. I believe a smarter way is
| to define a new and simpler protocol that just does key management and can
| search on e-mail addresses. It may even be able to search on other things,
| which would be a bonus, but going the whole hog to support every search
| criteria under the sun is best left to other working groups that have
| more expertise in this area than we do. Let's stick to what we know,
| key management, and leave the rest to someone else to worry about.
Exactly. the existing, globally deployed Domain Name System, with
some security additions, is such a protocol. See
draft-ietf-dnssec-secext-*.txt. Just, for example, retrieve any user
account KEY RRs stored under jueneman.gte.com."
-------------------------------------------------------------------
http://www.mhonarc.org/archive/html/pem-dev/1996-02/msg00014.html
"From [Donald E. Eastlake 3rd]
Subject: DNS Keys (was A brief comparison of email encryption protocols)
..
| | Perhaps the biggest feature required in the mailer is integration
| | of key management and the "address book". If this feature is not
| | implemented in the mailer, then two address books are required - one
| | to select email addresses, and another to map email addresses to keys
....
| In point of fact, MOSS supports this feature. The email address name form
| was included precisely because we figured people would want to continue
| to use names with which they were familiar. Further, the email address
| could be parsed and the DNS could be used to lookup the public key.
...
| DNS? Are you suggesting that the public key be stored within the DNS
| database? The idea is nice, but DNS as deployed today is far too
| insecure (see the Wall Street Journal, 9 Feb 1996 for an example).
Please check out draft-ietf-dnssec-secext-09.txt in the IETF shadow
directories (such as ftp.isi.edu/internet-drafts). It specifies a
standard for authenticating data retrieved from the DNS and using the
DNS for key distribution.
Donald
=====================================================================
Donald E. Eastlake 3rd +1 508-287-4877(tel) dee(_at_)xxxxxxxxxxxxx"
-------------------------------------------------------------------
The above was post by author of RFC2535 and it is fairly clear he meant
that DNS KEY record be used for email authentication as well (that is
why you see "email" as a protocol there and it appears to have been
added into DNS KEY specification somewhere between 1995-01 and 1996-02).
If in doubt we can probably just ask Donald (he's still active in
dns extensions WG) about how it got added in there, when and in
regards to which discussions.
---
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net