ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Global PKI on DNS?

2002-06-09 23:40:10
from [Franck Martin] [Permanent Link] 
I see who you are talking about....

But I think it is a IETF pb to provide an informational RFC to provide a
map between certificate DN and DNS namespace and to provide a mechanism
to look at CERT and CRL Then it is an ICANN problem to implement on the
root-servers and delegate to ohers...


From reviewing the 2 RFCs (CERT and SIG) it appears that DNS protocol

has all which is required now, but needs some structure and
standardisation.

For instance:
In the certificate C= coult be root or the ccTLD or gTLD then O= could
be the rest of the domain name
CN would be the hostname, e-mail address, name of a person (all
belonging to the domain)

an X509 critical key would be use to limit the issue of certificates
outside the domain name.

It is then easy to map the certificate to a CERT DNS entry by doing a
DNS query for the CERT record to O=+C= domain.

The CERT DNS entry allows to use a URI, the URI would point:
1) to the certificate (http://www.sopac.org/ssl/sopac.crt)
2) to the CRL (http://www.sopac.org/ssl/sopac.crl)
3) to the OSCP?

(ldap could be used instead of http)

Lastly using 1) but adding certificate.html?ID=xxx You could retreive
any certificate signed by 1) and then get the public key amongst other
things...

This is a quick write up of ideas, which needs more thinking but, 
1)it provides the mapping between certificates and DNS system
2)it is not heavy on the DNS because it answers a URI and not the
certificate or key or whatever
3)it provides independent way to check CRL without the DNS TTL issue and
caching....
4)http, ldap and DNS are well established protocols that are mostly
enabled via firewalls.

Should such RFC be written?

Cheers.
franck(_at_)sopac(_dot_)org

On Mon, 2002-06-10 at 01:57, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:

    On Sun, 09 Jun 2002 21:36:08 EDT, Keith Moore said:
    > > Unfortunately, Zymyrgy's Law of Evolving Thermodynamics applies here.
    > > The worms are out of the can, and I suggest anybody who wants to fight
    > > this battle order at least a 4-sizes-larger can....
    > 
    > these particular worms are still in the can, and it's probably better 
    > for everyone if they stay there.  
    
    I stand corrected.  The company I was thinking of is in both lines of 
business,
    but hasn't succeeded in actually equating them....
    
    /Valdis
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Global PKI on DNS?, Valdis . Kletnieks
Next by Date:  IETF54: warning, your GSM won't work in Japan, itojun
Previous by Thread:  Re: Global PKI on DNS?, Valdis . Kletnieks
Next by Thread:  Re: Global PKI on DNS?, Keith Moore
Indexes:  [Date] [Thread] [Top] [All Lists]