[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A brief comparison of email encryption protocols



Eric Murray wrote:
| Adam Shostack writes:
| > 
| > Leaving it out may be ok because we can define a standard location by
| > key type: 
| > 
| > key://slack.lne.com/~ericm/key.asc
| > key://slack.lne.com/~ericm/key.x509
| > 
| > key://slack.lne.com/~ericm/x509/key.cert
| > key://slack.lne.com/~ericm/pgp/key.asc
| > 
| > I have no objection to defining a shorter URL, but would want some
| > indicator that we're in user space, not host/domain/realm space.  A
| > ~username serves that purpose as well as /u/ and is a more common
| > usage.
| 
| Ok.  Sounds good, for user-maintained keys like PGP anyhow.
| More hierarchical keys, like X.509, could be maintained
| by a CA that also maintains the server... some people who
| could use encryption don't know, and don't want to know, enough
| about it to even be willing to hold their own certificates.  They
| want it to "just work".  I think that this scheme should be flexable
| enough to be able to support a CA maintaining user's certificates
| for them.  Note that this doesn't mean that the CA/key server
| would know the keys, i.e. this should not support GAK*.

	Having keys placed in a namespace defiend by a user does not
mean the user needs to make the key available, only that the key can
be found there.

	Nothing says we can't have key://keys.verisign.com/~ericm if
they issue keys in some space that maps into user names.

| > My last comment is that if we define a URN scheme for keys, we should
| > force a dependable structure on it, so that its predictable where to
| > find a users PGP key from an email address, without having to check 6
| > locations.  Nothing is there now, we should require order to make
| > everyones life easier.
| 
| Along those lines, I was envisioning adding a KEY RR type to
| DNS, and using it to maintain pointers to keyservers.

[...]
| This sounds so obvious that I'm sure that I'm not the first
| or even the tenth person to think of it, and in fact I
| see a KEY RR type defined in the BIND 4.9.3BETA17 source.  But
| there's just a type there, nothing else to support it.
| Anyone know what it's for?

	Donald Eastlake is writing the spec for storing keys in
nameservers.  Its in the process of moving to draft standard; there
will probably be something about it after LA.  I think its:

ftp://ds.internic.net/draft-ietf-dnssec-secext-09.txt


Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume