On Sat, Nov 06, 2004 at 07:48:31PM +0100, Simon Josefsson wrote:
Applications that receive an OpenPGP packet but do not know the email
address of the sender will have difficulties guessing the correct
owner name. However, the OpenPGP packet typically contain the Key ID
of the key. Such applications can derive the owner name from the Key
ID using an Base 16 encoding [8]. For example:
$ORIGIN example.org.
F835EDA21E94B565716F IN CERT PGP ...
B565716F IN CNAME F835EDA21E94B565716F
Again, if the same key material is stored at several owner names,
using CNAME can be used to avoid data duplication.
One of the things that struck me when reading this draft is that while
there are several suggested ways to name keys in DNS, there is no one
canonical name as a SHOULD or MUST. I suggest that the key
fingerprint be the canonical name, and all others be CNAMEs pointing
to the fingerprint name.
I have general concerns about the size of OpenPGP keys in DNS, but I
wonder if DNS would be a good way to distribute revocation
certificates in a low-overhead sort of way.
David