This is why DNS Security has flags in the KEY RR specifying whether the
KEY is for the owner name as a user, a host, or a zone.
But this makes things messy at the user interface -- actually, at all
layers above the cryptography -- because all occurances of names then
have to be <TYPE,NAME> instead of just <NAME> to disambiguate between
the different name types.
I *definitely* want to know the difference between a key certified by
the LCS.MIT.EDU zone vs. a key certified by LCS(_at_)MIT(_dot_)EDU ... but if
you disallow LCS(_at_)MIT(_dot_)EDU from certifying keys, you've just disallowed
the (quite popular) PGP certification model.
- Bill