The CERT extension to DNS allows to place there a URI, a URI is smaller than
a cert and stays in a udp packet.
The x509v3 extension allows you to place a URI to look for PKI and CRL, so
client are already able to deal with a lot of URIs (mainly http and ldap)
Now you are looking for a cert or public key of a site or e-mail, you query
the DNS that gives you the URI where to look for the PKI...
As someone said the main problem is S/MIME which does not have a protocol to
look for public keys globally, I think DNS can do the job...
There just need to be a little bit of coordination and an agreed mapping and
protocol to use DNS for a global PKI.
Franck Martin
Network and Database Development Officer
SOPAC South Pacific Applied Geoscience Commission
Fiji
E-mail: franck(_at_)sopac(_dot_)org <mailto:franck(_at_)sopac(_dot_)org>
Web site: http://www.sopac.org/
<http://www.sopac.org/> Support FMaps: http://fmaps.sourceforge.net/
<http://fmaps.sourceforge.net/>
Certificate: https://www.sopac.org/ssl/
This e-mail is intended for its addresses only. Do not forward this e-mail
without approval. The views expressed in this e-mail may not be necessarily
the views of SOPAC.
-----Original Message-----
From: Chris Evans [mailto:teknopup(_at_)bigvalley(_dot_)net]
Sent: Thursday, 13 June 2002 4:46
To: David Conrad; Derek Atkins
Cc: Eric A. Hall; John Stracke; ietf; isdf(_at_)isoc(_dot_)org; Key
Distribution;
openssl-users(_at_)openssl(_dot_)org
Subject: Re: Global PKI on DNS?
Then a global PKI protocol server needs to be invented so you can just get
the
certs from the domain in question. i dont wanna see DNS system bogged down
by
this stuff. IMHOOC!
use dns to get the IP and request from its IP the pki doc.. duh.
6/11/02 6:51:26 PM, Derek Atkins <derek(_at_)ihtfp(_dot_)com> wrote:
David Conrad <david(_dot_)conrad(_at_)nominum(_dot_)com> writes:
Why do you think the roots and TLDs would get millions of TCP queries for
their certs? Why would anyone want to get the certs of the roots or
tlds?