IETF Logo Mail Archive

Global PKI on DNS?

Franck Martin <franck@SOPAC.ORG> Sat, 08 June 2002 01:54 UTC

Received: from loki.ietf.org (loki [10.27.2.29]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA19811 for <ietf-web-archive@odin.ietf.org>; Fri, 7 Jun 2002 21:54:17 -0400 (EDT)
Received: (from adm@localhost) by loki.ietf.org (8.9.1b+Sun/8.9.1) id VAA18413 for ietf-outbound.10@loki.ietf.org; Fri, 7 Jun 2002 21:54:01 -0400 (EDT)
Received: from ietf.org (odin.ietf.org [10.27.2.28]) by loki.ietf.org (8.9.1b+Sun/8.9.1) with ESMTP id VAA18385 for <ietf-mainout@loki.ietf.org>; Fri, 7 Jun 2002 21:52:03 -0400 (EDT)
Received: by ietf.org (8.9.1a/8.9.1a) id VAA19797 for ietf-mainout; Fri, 7 Jun 2002 21:51:31 -0400 (EDT)
X-Authentication-Warning: ietf.org: majordom set sender to owner-ietf@ietf.org using -f
Received: from flinux.sopac.org.fj ([202.62.1.33]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA19765 for <ietf@ietf.org>; Fri, 7 Jun 2002 21:51:09 -0400 (EDT)
Received: by flinux.sopac.org.fj (Postfix, from userid 500) id 34CEF1E95C; Sat, 8 Jun 2002 13:22:28 +0000 (UTC)
Subject: Global PKI on DNS?
From: Franck Martin <franck@SOPAC.ORG>
To: openssl-users@openssl.org
Cc: ietf@ietf.org, isdf@isoc.org
In-Reply-To: <B9266DC7.69C5%brian@balancesoftware.com>
References: <B9266DC7.69C5%brian@balancesoftware.com>
Content-Type: multipart/alternative; boundary="=-TSkMorsjoWKis2MkLWCB"
X-Mailer: Evolution/1.0.2-5mdk
Date: Sat, 08 Jun 2002 13:22:28 +0000
Message-Id: <1023542548.17232.30.camel@flinux.sopac.org.fj>
Mime-Version: 1.0
Sender: owner-ietf@ietf.org
Precedence: bulk
X-Loop: ietf@ietf.org

I was wondering if the best system to build a global PKI wouldn't be the
DNS system already in place?

The root servers would share the ROOT Certificates and would sign a
certificate to each .org .com .net .fr,... managers of this
domains...Which in turn would use these certificates to sign sub domains
certificates...

The issued certifcates would have a constraint on the domain name to
ensure that the certificate can only be used in sub domains... and would
allow to be used for anything (web server, imap server, e-mail, code,
document,...)

There would be an extension to the DNS protocol to add a type record
which would allow to extract the certificate and the list of revoked
certificates...

The system would have to be quite secure but DNSSec is in place now...

It would be the easiest way as apparently nobody is trying to build a
global PKI infrastructure and LDAP people can't agree on a global
standard to link each ldap server to each other, which DNS has...

Comments?

Cheers.

v2.23.0 | Report a Bug | By Email