On Mon, Nov 28, 2005 at 10:36:19AM -0800, Dave Crocker allegedly wrote: > Folks, > > > For those not on the IETF Announcement list, the following is relevant to > the DKIM DNS RR effort: > > > > The IESG has approved the following document: > > > > - 'Storing Certificates in the Domain Name System (DNS) ' > > <draft-ietf-dnsext-rfc2538bis-09.txt> as a Proposed Standard
Yeah. I've looked at this, along with a good number of other efforts. The question arises as to whether Selector attributes are the moral equivalent of certificate attributes. Consider that an rfc2538 RR consists of four fields: type, tag, alg and cert. This means that we'd have to embed all of the Selector attributes into the cert blob and thus we still have to define the format of that blob such that it can handle the attributes we need. The second issue this raises is that we aren't taking full advantage of the type matching capability of DNS. We still need to sub-type search to ensure that the returned CERT RRset contains a DKIM cert unless we continue to insist on namespace separation. I'm under the impression that this type of sub-typing is not viewed favorably. Mark. _______________________________________________ ietf-dkim mailing list http://dkim.org
