Re: Global PKI on DNS?

To: openssl-users at openssl.org
Subject: Re: Global PKI on DNS?
From: Ben Laurie <ben at algroup.co.uk>
Date: Sun, 09 Jun 2002 20:34:02 +0100
Cc: Bill Manning <bmanning at ISI.EDU>, Franck Martin <franck at SOPAC.ORG>, ietf at ietf.org, isdf at isoc.org
References: <200206091617.g59GHWT16118@syn.hamachi.org>
Sender: owner-ietf at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530

Bill Sommerfeld wrote:

	As others have pointed out, the DNS already has the capability
	to store certs.  So you could use the DNS as a publication
	method.  But is this the only thing a PKI needs?  How would
	one revolke a cert that was in the DNS?  How can you update
	-every- cached copy of the cert in question?

you don't need to.  there are in general two options for this sort of
thing:

  1) short lived certs
  2) CRL's published at regular intervals.

both involve a regularly-signed short-lived objects.


Errr - OCSP?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Follow-Ups:
- Re: Global PKI on DNS?
  - From: Arne Ansper

References:
- Re: Global PKI on DNS?
  - From: Bill Sommerfeld

Prev by Date: Re: Global PKI on DNS?
Next by Date: Re: Global PKI on DNS?
Previous by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Global PKI on DNS?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.