Re: Storing Certificates in the DNS (draft-ietf-dnsext-rfc2538bis-08)

[Simon Josefsson <jas@xxxxxxxxxxx>]

Tom Gindin <tgindin@xxxxxxxxxx> writes:

>         Russ:
>
>         In the current 2538-bis draft, section 2 contains OID's for both 
> certificates and CRL's (although not AC's), while section 3 profiles owner 
> names for certificates and not for CRL's.  Does this really make sense, 
> especially given that there doesn't seem to be any place where owner names 
> for CRL's are profiled?

If CERT RR are to be used by PKIX, I believe you would need an PKIX
Operational Protocols for DNS, such as:

http://josefsson.org/rfc2538bis/draft-josefsson-pkix-dns-00.txt

That document should mandate exact owner name rules used for
particular applications, and could describe how CRLs stored in DNS
would be used.  I don't think that kind of detail should go into RFC
2538bis.  Your concerns would be applicable to that document.

>         Also, I think we all realize that most current certificates don't 
> fit in 512 bytes, and if the size of standard RSA keys increases the 
> certificates will grow more since every certificate contains both a 
> subject public key and a signature whose size is no smaller than the CA's 
> key.  CRL's actually fit better (a sample one I have with a 1024-bit key 
> has a size of about 350 bytes + 37 bytes for each entry, changing to 39 
> for revocation times after 2000), but they have to be distribution point 
> CRL's and they have to be quite small.  If Phill's point about MTU size is 
> relevant, a CRL with more than about 30 entries revoked won't fit into 
> that window - and that doesn't guarantee that 30 will.

The document address this problem through the IPKIX type.

Thanks,
Simon


>                 Tom Gindin
>
>
>
>
>
>
> Russ Housley <housley@xxxxxxxxxxxx>
> 10/13/2005 11:30 AM
>  
>         To:     Tom Gindin/Watson/IBM@IBMUS
>         cc:     ietf-pkix@xxxxxxx, simon@xxxxxxxxxxxxx
>         Subject:        Re: Storing Certificates in the DNS 
> (draft-ietf-dnsext-rfc2538bis-08)
>
>
> Tom:
>
> Thanks for the review.  I do not think that this kind of guidance belongs 
> in draft-ietf-dnsext-rfc2538bis, but it does belong in 3280bis.
>
> Russ
>
>
> At 06:38 PM 10/12/2005, Tom Gindin wrote:
>
>>         Russ:
>>
>>         Are there any guidelines for CRL owner names, since they're
>>covered in the draft although DNS distribution points aren't detailed in
>>RFC 3280?  If there aren't any, IMHO a reasonable rule would be that if
>>any sequence member of the distribution point name is a domain name (not 
> a
>>URI), that should be used.  Also (and lower in precedence), if any
>>sequence member of the distribution point name is an RFC 822 address, its
>>standard translation should be used.  I doubt if URI's will work without
>>conflicts.
>>         I don't know if these count as "concerns".
>>
>>                 Tom Gindin
>>P.S.    The opinions above are mine, and not necessarily those of my
>>employer.