Re: PGP security models, was Summary of IETF LC for draft-ietf-dane-open

Mark Andrews <marka(_at_)isc(_dot_)org> writes:

> > > > > Some people disagree with you and think DNSSEC is a viable PKI for their
> > > > > intended use. These people want to use DNSSEC. We can give those people
> > > > > an experimental RFC with OPENPGPKEY record, or we can force them to use
> > > > > an individual submitted draft with a TXT record stalled until expiry.
> > > > Or they can use the already specified CERT record, which GnuPG supports.
> > > You would still need to address the key lookup mechanism. One of the
> > > reasons CERT failed for openpgp was the lack of binding between mailbox
> > > and DNS. You did not know where to look for the CERT record.
> > If I understand correctly, I believe section 3 of RFC 4398 discuss this:
> > http://tools.ietf.org/html/rfc4398#section-3
> >
> > In particular section 3.3 explains how a OpenPGP key for
> > leslie@host.example would lead to a CERT record on the
> > leslie.host.example domain.  See
> > http://tools.ietf.org/html/rfc4398#section-3.3
> Which is very much part of the problem.  RFC 103[45] have mbox names
> which unfortunately causes namespace collisions.  Usernames and
> hostnames shouldn't be in the same namespace.  RFC 4398 continues
> to have that problem.
I don't see that as a problem.

To my knowledge, associating an OpenPGP key with a host is rare, and
when it happens the usual best practice in the OpenPGP world has been to
"invent" a email address like root(_at_)host(_dot_)example(_dot_)org and put 
that in the
OpenPGP key.  So no collisions happen.

Even if a collision would happen, it is not a show-stopper.  You just
put two CERT records at the same name.  The client will need to have
functionality to figure out which key out of several to use anyway.

/Simon

signature.asc
Description: PGP signature