Re: Global PKI on DNS?

Bill Sommerfeld wrote:

        As others have pointed out, the DNS already has the capability
        to store certs.  So you could use the DNS as a publication
        method.  But is this the only thing a PKI needs?  How would
        one revolke a cert that was in the DNS?  How can you update
        -every- cached copy of the cert in question?



you don't need to.  there are in general two options for this sort of
thing:

  1) short lived certs
  2) CRL's published at regular intervals.

both involve a regularly-signed short-lived objects.


Errr - OCSP?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Global PKI on DNS?, (continued) Re: Global PKI on DNS?, James Pullicino Re: Global PKI on DNS?, Franck Martin Re: Global PKI on DNS?, Michael Richardson Re: Global PKI on DNS?, Pekka Savola Re: Global PKI on DNS?, Simon Josefsson Re: Global PKI on DNS?, Eric A. Hall Re: Global PKI on DNS?, Simon Josefsson Re: Global PKI on DNS?, Eric A. Hall Re: Global PKI on DNS?, Bill Manning Re: Global PKI on DNS?, Bill Sommerfeld Re: Global PKI on DNS?, Ben Laurie <= Re: Global PKI on DNS?, Arne Ansper Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Michael StJohns Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Valdis . Kletnieks Re: Global PKI on DNS?, Keith Moore Re: Global PKI on DNS?, Valdis . Kletnieks Re: Global PKI on DNS?, Franck Martin Re: Global PKI on DNS?, Keith Moore class E address, Nguyen Thi Mai Trang

Previous by Date:	Re: Global PKI on DNS?, Bill Sommerfeld
Next by Date:	Re: Global PKI on DNS?, Arne Ansper
Previous by Thread:	Re: Global PKI on DNS?, Bill Sommerfeld
Next by Thread:	Re: Global PKI on DNS?, Arne Ansper
Indexes:	[Date] [Thread] [Top] [All Lists]