Again, please note that the "he" in Rob Shirey's note is NOT me. :-)
I would propose that we consider distributing key certificates for host
computers using the normal DNS without adding any special mechanisms
to the DNS other than maybe a new resource record. In my discussions,
I place trust in the cryptographic mechanisms behind the key certificates
and not in the network or the end computer systems or the DNS servers.
Someone has pointed out a potential problem with size of a key certificate
being possibly larger than the DNS is currently setup to handle. This
potential problem should be explored further with the DNS experts.
I'd also like to note that my discussion has been deliberately limited
to key certificates for hosts, not for persons. The key certificates
for people is properly handled using the PEM approach. The value in
host key certificates is for the case where one deploys some kind of
IP Security Protocol (e.g. SP3) or some kind of IP authentication mechanism.
Regards,
Ran
atkinson(_at_)itd(_dot_)nrl(_dot_)navy(_dot_)mil