Zitat von Martijn Brinkers <martijn(a)djigzo.com>om>:
On 01/-10/-28163 08:59 PM, lst_hoe02(a)kwsoft.de wrote:
with the arise of DNSSEC the DNS based publishing
get more attention
lately. Would it be possible to integrate in Djigzo a possibilty to
search for DNS published certificates compatible with RFC 4398?
I think this is a very interesting approach. Especially if we can use
the certificate as a domain certificate. Or do you want to store all
end-user certificates in DNS as well? Might also be possible, I need
some time to read RFC 4398.
As far as i know it is possible and suggested to store end-user
(S/MIME) certificates in special records (IN CERT) which can be
queried for by replacing the "@" with a dot so for example my list
address will yield to a DNS query for lst_hoe02.kwsoft.de (have to
check if underscore is allowed:-). All other certificates are possible
as well identified by a type flag. The basic idea is that with DNSSEC
two problems which prevent such a system until now will get obsolet:
- The data size of DNS RR sets which until now was hardly ever bigger
then 512Byte will be raised by EDNS without fallback to TCP
- The spoof protection is finally there so if you can validate a
answer by DNSSEC you can be sure to a great extend that the data is
unmodified and intended by the owner of the domain.
So for Djigzo it might be interesting to query DNS if a certificate is
not available and maybe even decide to add it to CTL if DNSSEC