Secure communication is an increasingly important application of the Internet. Without secure communication many existing social functions cannot benefit from modern technology. The primary example is commerce. The foundation of secure communication is cryptography, which enables secure communication through the use of keys. The management of these keys has proven to be a problem when the technology is taken into use. So called public key cryptography solves several of these problems, in particular it allows the keys to be transfered, in the form of a certificate, through unprotected communication cannels.
The primary remaining problem in key management is a technical issue; namely how to locate the certificate for a certain machine or person.
Some basic requirements on the facility used to locate the certificate can easily be identified. It must be accessible everywhere. It should be practical, in the sense that it should not be extremely expensive or cause administrative hassle, to work. Preferably it should be distributed, because a central world-wide organization to store all certificates is not feasible to implement. However the facility does not need to be secure, altough if possible, it would create additional value.
So far our description is similar to how a facility for locating the address (instead of certificate), for a certain machine or person on the Internet, would work. The facility that implements this in today's world is called the Domain Name System (DNS). Our description also resembles the directory service X.500, and its more successful Internet protocol implementation which is called the Lightweight Directory Access Protocol (LDAP).
This thesis compare the Domain Name System and the Lightweight Directory Access Protocol for use as a certificate lookup service. In particular we focus on the application of secure electronic mail, used to send messages between persons using the Internet. We demonstrate that the idea of storing certificates in DNS is practical by building a prototype. We also discuss and propose solutions to a perceived privacy threat, introduced by recent additions to the Domain Name System protocol.
The report is outlined as follows. In chapter 2, we give an overview of, and a background to, Cryptography, Public Key Infrastructure (PKI), DNS and Secure Messaging, which is used throughout this report. In chapter 3 we demonstrate our implementation of a secure mail application and of a certificate publishing application. In chapter 4 we compare LDAP and DNS for certificate locating and retrieval purposes. In chapter 5 we discuss privacy threats due to Secure DNS and present a possible remedy. In the final chapter we present our conclusions and suggest topics for further investigations.