[doseta-discuss] key publishing Re: suggestions/concerns on spec

Bill Burke bburke at redhat.com
Fri Jun 3 05:28:09 PDT 2011 


On 6/2/11 10:58 PM, Mark Nottingham wrote:
>> - Public key discovery should be fully broken out with DKIM as one possible solution for public key discover.  One of the problems I had was to actually find somebody that has deployed DKIM.  I could not find anybody as of yet.  The people I talked to thought using DNS was an interesting idea, but the biggest concern was the lack of knowledge/deployment of DNS Sec.  Security sounds like it might be an issue with public key publication.  I don't know enough about DNS to say whether or not something like DNS SEc would be required to ensure the integrity of the public key you are obtaining to verify a signature.
>>
>> - Many people I talked to thought DNS would be difficult to deploy and manage for a public key infrastructure.  I myself had difficulties finding a DNS solution that I could embed in unit tests (even then I had to hack it).  Then I had to learn how to configure DNS text records (yeah, its easy, but...).  Generally application developers just don't have the know-how or permission to set up a DNS server.  I and others I've talked to would really like to have HTTP-based solution to publish keys.
>
> +1. My thinking has been RFC5785 over HTTPS...
>

I like that idea, but, still I think a more flexible mechanism is 
desired because I want to promote DOSETA for application development. 
My JBoss experience has been that each customer/user wants to manage 
their security data in their own specific way.  For example, many 
organizations are married to LDAP or Active Directory and will want to 
publish their public keys using that infrastructure.

So...I would prefer just a simple alternative 'uri' doseta field.  The 
"d" and "s" fields would be the DNS option to discover public keys.  I'm 
*not* suggesting to replace or retire the DNS option.  I really really 
like it.  I just want to offer alternatives that are specified in the 
spec or ones registered via a key registry (like what is done with atom 
links).

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the doseta-discuss mailing list