In message <87r3looxjg(_dot_)fsf(_at_)latte(_dot_)josefsson(_dot_)org>, Simon
Josefsson writes:
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Mark Andrews <marka(_at_)isc(_dot_)org> writes:
Some people disagree with you and think DNSSEC is a viable PKI for t=
heir
intended use. These people want to use DNSSEC. We can give those peo=
ple
an experimental RFC with OPENPGPKEY record, or we can force them to =
use
an individual submitted draft with a TXT record stalled until expiry.
Or they can use the already specified CERT record, which GnuPG suppor=
ts.
You would still need to address the key lookup mechanism. One of the
reasons CERT failed for openpgp was the lack of binding between mailbox
and DNS. You did not know where to look for the CERT record.
=20
If I understand correctly, I believe section 3 of RFC 4398 discuss this:
http://tools.ietf.org/html/rfc4398#section-3
=20
In particular section 3.3 explains how a OpenPGP key for
leslie@host.example would lead to a CERT record on the
leslie.host.example domain. See
http://tools.ietf.org/html/rfc4398#section-3.3
Which is very much part of the problem. RFC 103[45] have mbox names
which unfortunately causes namespace collisions. Usernames and
hostnames shouldn't be in the same namespace. RFC 4398 continues
to have that problem.
I don't see that as a problem.
People don't usually look at the set of hostnames before assigning
a user id and the reverse is also true. Who gets change control
on the resulting domain name when there is a collision? The user
or the host?
To my knowledge, associating an OpenPGP key with a host is rare, and
when it happens the usual best practice in the OpenPGP world has been to
"invent" a email address like root(_at_)host(_dot_)example(_dot_)org and put
that in the
OpenPGP key. So no collisions happen.
Even if a collision would happen, it is not a show-stopper. You just
put two CERT records at the same name. The client will need to have
functionality to figure out which key out of several to use anyway.
And what about all the other record types?
/Simon
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWA+EzAAoJEIYLf7sy+BGd3T0H/3zBklWxdB8p4b6SlW1XOgsP
Omf9xVTsfxM5BawWHvhDHjum3pGL3JPbJbl1VGfeC0I3JCY9RUSzH3mI9Z4/2FgJ
gkwwvTresagG7zeU46+Z0Btikd3sIN+EL1KWIlwjVPkH4Pncghoy6/PItCcPtzuS
jU8l9+HQT+Y2OPNOTHAx6CGOh99UQSujvj0iafUbFug/U4hxbTzX1GHDS+m8xwxO
8taWkt9enul3spyRv1D/29Qoyus66snEWvPKQWYuwynToe2xxhmFjyUB8ocZAA1m
zVtCmsGFNBbC2VYGJvpwHKms/CLwtkaWZBwQkEngte2N6JKRi4sBjmGHoSSRzZ4=
=IuMd
-----END PGP SIGNATURE-----
--=-=-=--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org