I wrote this a while back, there was some interest in at the time but it never went anywhere:
https://datatracker.ietf.org/doc/html/draft-brown-whoami-02 G. > On 26 Feb 2025, at 18:00, Phillip Hallam-Baker <ph...@hallambaker.com> wrote: > > I am currently taking a hard look at mechanisms for using DNS Handles as a > means for exchange of authenticated and non-authenticated contact information > via JSContact. > > As part of that, I wanted to know if there was any *existing* use of the > SSHFP record for publishing SSH credentials and if so whether it was limited > to the server. And yes, I can read the specs, what I am asking about is > actual practice. > > If there is existing use, it might be something to build on. Otherwise, I > think it best to forget it and apply the same SRV/TXT framework used for > everything else. > > > The basic idea of JSContacts in handles being that I can put > @phill.hallambaker.com [phill.hallambaker.com] on my business card or a > publication, someone can pull the TXT record and get a uri that is a locator, > decryptor and authenticator all in one: > > _jscontact.phill.hallambaker.com [jscontact.phill.hallambaker.com]. IN TXT > "uri=jscontact://mplace2.social/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq" > > That egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq bit is a truncated SHA-3 digest of > the contact data. So if my SSH key is in the contact and the TXT record is > DNSSEC signed, we have at least some authentication of the contact. > > Alternatively, I might put the jscontact link on my business card as a QR > code. So now, you can scan the link and get direct verification. > > mplace2.social is just a resolution hint, a domain that currently has the > contact information. If that is going to be in a paper publication, the > resolution site might have changed but not the contact itself. > > jscontact: @phill.hallambaker.com/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq > [phill.hallambaker.com] > > > Since my publication engine has to populate the TXT records, it can do SSHFP > in theory. But I see no reason to do that if it hasn't already established a > user base. > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!PtGJab4!-enNmBzOvH-tFLHeHve_Mk8L0UUEHq163oT5pBTcIXh9vVKsjk9GTW26ALaLJ7wmr18XVW9En2lxe-nhLfJaBo5bYw$ > [lists[.]dns-oarc[.]net] -- Gavin Brown Principal Engineer, Global Domains & Strategy Internet Corporation for Assigned Names and Numbers (ICANN) https://www.icann.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
