Pekka Savola <pekkas(_at_)netcore(_dot_)fi> writes:
On Sat, 8 Jun 2002, Michael Richardson wrote:
"Franck" == Franck Martin <franck(_at_)sopac(_dot_)org> writes:
Franck> I was wondering if the best system to build a global PKI
wouldn't be the
Franck> DNS system already in place?
Franck> The root servers would share the ROOT Certificates and would
sign a
Franck> certificate to each .org .com .net .fr,... managers of this
Franck> domains...Which in turn would use these certificates to sign sub
Franck> domains
Franck> certificates...
Please see the minutes from the "siked" BOF from #53... oops, none produced.
http://www.ietf.org/ietf/02mar/siked.txt
and the mailing list at keydist(_at_)cafax(_dot_)se(_dot_)
I think this was when Randy Bush (with Ops & Mgmt Area Director hat on)
said that certificates will not be stored in DNS; keys.. if you really
want, why not (but if you don't understand the difference between keys
and certificates, be quiet).
Both public keys and certificates can already be stored in DNS; see
RFC 2535 and RFC 2538. RFC 2535 is "editorially" updated to not
include the application public key support any more though.
Since this was CC:d to keydist: I think the keydist effort has been
superseded by reality. Despite the FUD presented by certain
individuals that doesn't want keys/certs in DNS, people have already
started doing it and it works fine. The only difference is that the
way people do it is not standardized.