Hi Sergey,
That's exactly what thinking and that's a cool way to distribute PKeys.
About spoofing, I agree that vulnerable but it take a bit of work .
Cheers,
Fritz.
----- Original Message -----
From: "Sergey Babkin" <babkin(_at_)bellatlantic(_dot_)net>
To: <ietf(_at_)ietf(_dot_)org>
Sent: Thursday, September 11, 2003 8:27 PM
Subject: Proposal to use DNS as public key repository
Hello,
I think that I've found an easy way to distribute the public keys:
put them into DNS. The records would look like:
<entity-name> IN PKEY <key-type>:<key-value>
for example:
babkin.-at-.bellatlantic.net IN PKEY "ssh1:1024 37
1550134074134018781239180842531603373454309268407729175684597284860789522776
765036113307635696866211228019143858148231273490
0409232249203691951375403439093052348271870888610552603391036369046162012289
05551802270012860844892213877621509748539922264245295221
03235374785283586385586920281234566901122551897435633"
(I'm not quite sure yet if the values can be in quotes and if
the spaces and other funny characters are allowed - but such things
are solvable by some sort of escape sequences).
To allow changing the keys without disruption, allow multiple
PKEY records for an entity, and accept a match to any of them.
Of course it would be only as secure as difficult it is to spoof DNS,
so you probably won't want to use it for login information. But
it's still adequate for less demanding application, such as
signing e-mail or establishing the identity of the SMTP servers.
-SB