[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CERT records again

To: Simon Josefsson <jas@extundo.com>, namedroppers@ops.ietf.org
Subject: Re: CERT records again
From: Harald Alvestrand <Harald@Alvestrand.no>
Date: Fri, 24 Nov 2000 13:39:10 +0100
Delivery-date: Fri, 24 Nov 2000 06:09:21 -0800
Envelope-to: namedroppers-data@psg.com

At 15:48 23/11/2000 +0100, Simon Josefsson wrote:
>One argument is that the "PKIX" certificate type is very general.
>Several certificate flavours are based on PKIX, and more are likely to
>be defined in the future.  S/MIME and WAP TLS certificates are the two
>I've been working with.  This suggest that the number of certificates
>attached to a specific domain name will grow once more flavours gain
>acceptance -- and clients will
>
>         1) waste bandwidth by retrieving all PKIX certificates for a
>domain, and
>
>         2) waste time to parse through all certificates to find a
>S/MIME, WAP TLS etc certificate.
>
>this would cause quite some complexity in a client.

one answer is to define new RR types for each type of cert.
This is highly inflexible.

another answer is to define _ domains - find the S/MIME cert of 
harald@alvestrand.no under _smime.harald.alvestrand.no, for instance.
this is doable, but will double the domaincount *again*.

a third answer is to define the URL RR, and put a pointer to the relevant 
LDAP directory entry in it, where new types are a lot cheaper than in the DNS.

no lack of answers. lack of clue about picking one (and lack of clue-by-4 
to make the pick stick).

--
Harald Tveit Alvestrand, alvestrand@cisco.com
+47 41 44 29 94
Personal email: Harald@Alvestrand.no

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: applications using CERT?
Next by Date: Re: CERT records again
Prev by thread: CERT records again
Next by thread: Re: CERT records again
Index(es):
- Date
- Thread