Re: PGP security models, was Summary of IETF LC for draft-ietf-dane-open

Simon Josefsson <simon(_at_)josefsson(_dot_)org> writes:

> > > In particular section 3.3 explains how a OpenPGP key for
> > > leslie@host.example would lead to a CERT record on the
> > > leslie.host.example domain.  See
> > > http://tools.ietf.org/html/rfc4398#section-3.3
> > Which is very much part of the problem.  RFC 103[45] have mbox names
> > which unfortunately causes namespace collisions.  Usernames and
> > hostnames shouldn't be in the same namespace.  RFC 4398 continues
> > to have that problem.
> I don't see that as a problem.
>
> To my knowledge, associating an OpenPGP key with a host is rare, and
> when it happens the usual best practice in the OpenPGP world has been to
> "invent" a email address like root(_at_)host(_dot_)example(_dot_)org and put 
> that in the
> OpenPGP key.  So no collisions happen.
>
> Even if a collision would happen, it is not a show-stopper.  You just
> put two CERT records at the same name.  The client will need to have
> functionality to figure out which key out of several to use anyway.
Btw, how does draft-ietf-dane-openpgpkey handle OpenPGP keys for
hostnames?  I don't see anything in it.  I propose that
username<->hostname collisions for OpenPGP is a non-issue.

/Simon

signature.asc
Description: PGP signature