On Thu, 27 Jul 1995, Bill Sommerfeld wrote:
This is why DNS Security has flags in the KEY RR specifying whether the
KEY is for the owner name as a user, a host, or a zone.
But this makes things messy at the user interface -- actually, at all
layers above the cryptography -- because all occurances of names then
have to be <TYPE,NAME> instead of just <NAME> to disambiguate between
the different name types.
Yes, sometimes historic artifacts made things more complicated than if
you had the luxury of redesigning a system from scratch. Although
actually I think it just makes the innards more complicated. At the
real user interface, you could do whatever you wanted to indicate what
type of name it was, radio buttons, different fields, colors, etc.
More complex perhaps but not necessarily what I would call "messy".
I *definitely* want to know the difference between a key certified by
the LCS.MIT.EDU zone vs. a key certified by LCS(_at_)MIT(_dot_)EDU ... but if
you disallow LCS(_at_)MIT(_dot_)EDU from certifying keys, you've just
disallowed
the (quite popular) PGP certification model.
No, in DNS SEC any valid name can be used as the signer of a SIG RR
and there is a key footprint to almost always enable you to immediately
tell which KEY RR with that name applies in the rare cases where there
is more than one.
- Bill
Donald
=====================================================================
Donald E. Eastlake 3rd +1 508-287-4877(tel) dee(_at_)cybercash(_dot_)com
318 Acton Street +1 508-371-7148(fax)
dee(_at_)world(_dot_)std(_dot_)com
Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA)