Bill Sommerfeld wrote:
As others have pointed out, the DNS already has the capability
to store certs. So you could use the DNS as a publication
method. But is this the only thing a PKI needs? How would
one revolke a cert that was in the DNS? How can you update
-every- cached copy of the cert in question?
you don't need to. there are in general two options for this sort of
thing:
1) short lived certs
2) CRL's published at regular intervals.
both involve a regularly-signed short-lived objects.
Errr - OCSP?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff