bounced msg

   ----- Unsent message follows -----
Received: by us3rmc.bb.dec.com; id AA10682; Fri, 17 Sep 93 15:22:37 -0700
Received: by inet-gw-1.pa.dec.com; id AA26810; Fri, 17 Sep 93 15:22:39 -0700
Received: from magellan.tis.com by magellan.TIS.COM id aa00715;
          17 Sep 93 17:46 EDT
Received: from tis.com by magellan.TIS.COM id aa00711; 17 Sep 93 17:44 EDT
Received: from azalea.tis.com by TIS.COM (4.1/SUN-5.64)
        id AA23681; Fri, 17 Sep 93 17:43:55 EDT
Received: by azalea.tis.com; id AA11433; Fri, 17 Sep 93 17:42:33 EDT
Received: from lehman.com/192.147.66.1 via smap
Received: from shearson.com ([192.9.140.112]) by lehman.com (4.1/LB 0.1)
        id AA15671; Fri, 17 Sep 93 17:40:57 EDT
Received: from snark.lehman.com by shearson.com (4.1/LB-0.6)
        id AA15268; Fri, 17 Sep 93 17:40:55 EDT
Received: by snark.lehman.com (4.1/SMI-4.1)
        id AA24688; Fri, 17 Sep 93 17:40:53 EDT
Message-Id: <9309172140(_dot_)AA24688(_at_)snark(_dot_)lehman(_dot_)com>
To: pem-dev(_at_)tis(_dot_)com, ipsec(_at_)ans(_dot_)net, 
namedroppers(_at_)nic(_dot_)ddn(_dot_)mil
Subject: Re: [resend] Use of DNS to distribute keys
In-Reply-To: Your message of "Fri, 17 Sep 1993 16:30:10 EDT."
             <9309172030(_dot_)AA22224(_at_)abyss(_dot_)zk3(_dot_)dec(_dot_)com>
Reply-To: pmetzger(_at_)lehman(_dot_)com
X-Reposting-Policy: redistribute only with permission
Date: Fri, 17 Sep 1993 17:40:52 -0400
From: "Perry E. Metzger" <pmetzger(_at_)lehman(_dot_)com>


kaufman(_at_)zk3(_dot_)dec(_dot_)com says:

This discussion came late to pem-dev, and it could be I'm missing some
crucial context.  But let me throw in some thoughts:

1) There is little to be gained by storing certificates of on-line
entities in DNS because it is just as easy to ask the entity for its
certificate(s).


But HOW do you ask the entities for their certificates? DNS is a nice
existing mechanism by which you can do the asking.

2) If you wanted to store certificates in DNS and were concerned about
their length, be aware that certificates are big only because their
designers had no motivation to make them small.  The critical
information in a certificate is a public key (which for 512 bit RSA and
a fixed public exponent could be 64 bytes), a signature (also 64
bytes), and an expiration (which could be two bytes if people were
ambitious).


Make it into a 1024 bit key, the minimum you need for real security,
add a signature, add IDENTITY information on the key and signature,
and you are pushing over the line.

Perry

------- End of Forwarded Message

<Prev in Thread]	Current Thread	[Next in Thread>
bounced msg, David I. Dalva <= bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva bounced msg, David I. Dalva

Previous by Date:	Re: [resend] Use of DNS to distribute keys, Masataka Ohta
Next by Date:	bounced msg, David I. Dalva
Previous by Thread:	Chance to fix X.509, Ella P. Gardner
Next by Thread:	bounced msg, David I. Dalva
Indexes:	[Date] [Thread] [Top] [All Lists]