Re: What are we trying to do?

[Simon Josefsson <simon+keydist@josefsson.org>]

Randy Bush <randy@psg.com> writes:

>> So, to be clear, do you feel that the advantages the existing DNS provide
>> in terms of scalability, cachability, reliability, redundancy, etc. have
>> insignificant value in the context of public key distribution or do you
>> feel it is better to reinvent an architecture that will provide those
>> attributes (and if so, why)?
>
> i am not a pki expert, so, unlike some, will refrain from judgement.
> let's see your license and registration.
>
> notice that the pki folk from security have not asked us to store keys
> in the dns for a while.  and the hard core security folk i listen to
> have yet to make clear to me what path they want to take.  when they do
> so in a formal way, then we might have some basis to discuss this.
> otherwise we have hackola solutions looking for a problem.

Ultimately the need should be driven by application writers, and there
are input (as drafts) from application WGs that explicitely wants to
store application keys in DNS: SSH, IPSEC.  I believe PGP folks have
also expressed interest in seeing PGP keys distributed via DNS.  There
are also security requirements from other areas, such as BGP, that
might utilize DNS in the solution.  I'd say we have plenty of input
from other WGs to not worry about there being no problem to solve.

PKI (in the PKIX sense) is a different beast than application keys,
and I agree there hasn't been much interest in that area.  Perhaps
focusing on applications keys for SSH, IPSEC and possibly PGP as the
first step would generate some momentum.