[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CERT records again

To: Simon Josefsson <jas@extundo.com>
Subject: Re: CERT records again
From: Edward Lewis <lewis@tislabs.com>
Date: Fri, 24 Nov 2000 13:31:09 -0500
Cc: namedroppers@ops.ietf.org
Delivery-date: Fri, 24 Nov 2000 15:28:13 -0800
Envelope-to: namedroppers-data@psg.com

At 9:48 AM -0500 11/23/00, Simon Josefsson wrote:
>        1) waste bandwidth by retrieving all PKIX certificates for a
>domain, and

Not to dispute the desire for more CERT type-value definitions, but
defining different values wouldn't reduce the bandwidth - all things being
equal.

E.g.:

owner.domain.name  CERT PKIX-1 <<cert>> ; yes, I omitted the key args
                   CERT PKIX-1 <<cert>>
                   CERT PKIX-2 <<cert>>

Even if I just wanted PKIX-2 (e.g. WAP TLS) I would be getting all three.
The different numbers fo make it easier to throw away the two unwanted
(PKIX-1) CERTs though.

To cut down on the bandwidth you could do this:

pkix-1.owner.domainname CERT PKIX-1 <<cert>> ; again, omitting key args
                        CERT PKIX-1 <<cert>>
pkix-2.owner.domainname CERT PKIX-2 <<cert>>

In the latter case you'd get just the one desired - saving bandwidth at the
cost of more domain names (more an issuer for the client than the server).

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

"It takes years of training to know when to do nothing" - Dogbert

Opinions expressed are property of my evil twin, not my employer.

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: Re: CERT records again
Next by Date: Agenda Items
Prev by thread: Re: CERT records again
Next by thread: I-D ACTION:draft-ietf-dnsext-ad-is-secure-00.txt
Index(es):
- Date
- Thread