Zitat von Martijn Brinkers <[email protected]>:
On 01/-10/-28163 08:59 PM, [email protected] wrote:with the arise of DNSSEC the DNS based publishing get more attention lately. Would it be possible to integrate in Djigzo a possibilty to search for DNS published certificates compatible with RFC 4398?I think this is a very interesting approach. Especially if we can use the certificate as a domain certificate. Or do you want to store all end-user certificates in DNS as well? Might also be possible, I need some time to read RFC 4398.
As far as i know it is possible and suggested to store end-user (S/MIME) certificates in special records (IN CERT) which can be queried for by replacing the "@" with a dot so for example my list address will yield to a DNS query for lst_hoe02.kwsoft.de (have to check if underscore is allowed:-). All other certificates are possible as well identified by a type flag. The basic idea is that with DNSSEC two problems which prevent such a system until now will get obsolet: - The data size of DNS RR sets which until now was hardly ever bigger then 512Byte will be raised by EDNS without fallback to TCP - The spoof protection is finally there so if you can validate a answer by DNSSEC you can be sure to a great extend that the data is unmodified and intended by the owner of the domain.
So for Djigzo it might be interesting to query DNS if a certificate is not available and maybe even decide to add it to CTL if DNSSEC validation succeed.
Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
