kaufman(_at_)zk3(_dot_)dec(_dot_)com says:
This discussion came late to pem-dev, and it could be I'm missing some
crucial context. But let me throw in some thoughts:
1) There is little to be gained by storing certificates of on-line
entities in DNS because it is just as easy to ask the entity for its
certificate(s).
But HOW do you ask the entities for their certificates? DNS is a nice
existing mechanism by which you can do the asking.
2) If you wanted to store certificates in DNS and were concerned about
their length, be aware that certificates are big only because their
designers had no motivation to make them small. The critical
information in a certificate is a public key (which for 512 bit RSA and
a fixed public exponent could be 64 bytes), a signature (also 64
bytes), and an expiration (which could be two bytes if people were
ambitious).
Make it into a 1024 bit key, the minimum you need for real security,
add a signature, add IDENTITY information on the key and signature,
and you are pushing over the line.
Perry