CERTS in DNS with SMIME

While there are many proposed designs for a certificate publishing and retreival system, including VeriSign Labs' RLDAP project, none are currently as pervasive or explored as DNS.

Certificates are a means to bind a public key to an identity with conditions. The CERT RR provides DNS with the capability to query public key certificates of anything that can be represented by a domain name. DNS CERT RR’s can store different kinds of certificates (X.509, SPKI, PGP) however, software to make the RR’s is still lacking.

Applied Research's makecertrrs.pl script attempts to solve part of this problem. makecertrrs.pl is a Perl script which translates x509 certificates into their corresponding DNS CERT records (as defined in RFC 2538). These records can then be installed on a name server and distributed via DNS to CERT-aware client applications. Then by publishing a certificate in a CERT record, it becomes instantly obtainably by anyone with an appropriately configured DNS client.

For example, if you use a personal certificate for secure email, and someone wants to send you an private message, they will need to encrypt it with your certificate. If you have already sent them a signed message, they can just extract your certificate from it. However, if you have never sent them a signed message, they will need to look up your certificate elsewhere.

To translate x509 certificates into their corresponding DNS CERT records you will need to:

• Copy/Download makecertrrs.pl
  
  
• Have OpenSSL properly configures on your machine.
  

Note: The certificates may be input in PEM, DER, or NET format. If the script is unable to process your x509 certificate, please send us a copy and we should be able to add support for it.

To set up S/MIME Support in mutt:

1. Download and install OpenSSL.
2. Download the source to mutt and apply Oliver Elhi's S/MIME patch. Compile and install. Put smime_keys.pl, which comes with the patch, somewhere in your path.
3. Obtain a personal digital certificate through a site like www.verisign.com or www.thawte.com. If you are asked what application you wish to use the certificate with, select Outlook if you are using Windows and Netscape if you are using Linux. This is not strictly necessary, but these instructions were only tested with those two setups.
4. Export the certificate (here are instructions for doing so using Internet Explorer on Windows and Mozilla on Linux)
5. Move the certificate file to the computer you will be running mutt on.
6. Run the following command:

   smime_keys.pl add_p12 name_of_certificate_file

   • When the script asks for the "Import password", enter the one you provided when you exported the certificate.
   • When it asks for a "PEM pass phrase", make up a new password. Every time you sign or decrypt a message, mutt will ask for the PEM pass phrase.
   • Finally, when the script asks for a label, enter an easy-to-remember name for the certificate, such as "me". The script output will include a line like:

     added private key: /home/raldi/.smime/keys/12345678.0 for raldi@verisignlabs.com

     The number (boldfaced in the above example) is your keyid. You will need this number in the next step.

7. Save this file in your home directory. Edit it, replacing the keyid in the smime_sign_as line with your own.
8. Add the following line to your ~/.muttrc:

   source ~/.muttrc.smime

For more information or support, please contact: raldi@verisignlabs.com