[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)

To: Russ Housley <housley@xxxxxxxxxxxx>
Subject: Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
From: Tom Gindin <tgindin@xxxxxxxxxx>
Date: Fri, 14 Oct 2005 07:50:52 -0400
Cc: ietf-pkix@xxxxxxx, simon@xxxxxxxxxxxxx
In-reply-to: <6.2.1.2.2.20051013112936.05c48280@xxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

        Russ:

        In the current 2538-bis draft, section 2 contains OID's for both 
certificates and CRL's (although not AC's), while section 3 profiles owner 
names for certificates and not for CRL's.  Does this really make sense, 
especially given that there doesn't seem to be any place where owner names 
for CRL's are profiled?
        Also, I think we all realize that most current certificates don't 
fit in 512 bytes, and if the size of standard RSA keys increases the 
certificates will grow more since every certificate contains both a 
subject public key and a signature whose size is no smaller than the CA's 
key.  CRL's actually fit better (a sample one I have with a 1024-bit key 
has a size of about 350 bytes + 37 bytes for each entry, changing to 39 
for revocation times after 2000), but they have to be distribution point 
CRL's and they have to be quite small.  If Phill's point about MTU size is 
relevant, a CRL with more than about 30 entries revoked won't fit into 
that window - and that doesn't guarantee that 30 will.

                Tom Gindin






Russ Housley <housley@xxxxxxxxxxxx>
10/13/2005 11:30 AM
 
        To:     Tom Gindin/Watson/IBM@IBMUS
        cc:     ietf-pkix@xxxxxxx, simon@xxxxxxxxxxxxx
        Subject:        Re: Storing Certificates in the DNS 
(draft-ietf-dnsext-rfc2538bis-08)


Tom:

Thanks for the review.  I do not think that this kind of guidance belongs 
in draft-ietf-dnsext-rfc2538bis, but it does belong in 3280bis.

Russ


At 06:38 PM 10/12/2005, Tom Gindin wrote:

>         Russ:
>
>         Are there any guidelines for CRL owner names, since they're
>covered in the draft although DNS distribution points aren't detailed in
>RFC 3280?  If there aren't any, IMHO a reasonable rule would be that if
>any sequence member of the distribution point name is a domain name (not 
a
>URI), that should be used.  Also (and lower in precedence), if any
>sequence member of the distribution point name is an RFC 822 address, its
>standard translation should be used.  I doubt if URI's will work without
>conflicts.
>         I don't know if these count as "concerns".
>
>                 Tom Gindin
>P.S.    The opinions above are mine, and not necessarily those of my
>employer.

Follow-Ups:
- Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
  - From: Simon Josefsson

References:
- Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
  - From: Russ Housley

Prev by Date: RE: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
Next by Date: Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
Previous by thread: Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
Next by thread: Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)
Index(es):
- Date
- Thread