To:
Steve Hanna <steve.hanna@sun.com>
Cc:
keydist@cafax.se
From:
Paul Hoffman / IMC <phoffman@imc.org>
Date:
Thu, 3 Jan 2002 09:03:31 -0800
Delivery-Date:
Thu Jan 3 18:14:24 2002
In-Reply-To:
<3C34737F.5275ED79@sun.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
At 10:06 AM -0500 1/3/02, Steve Hanna wrote: >I'm pretty sure that we want certs here, not just keys. Putting keys >in DNS and relying on DNSSEC to authenticate the keys means that >you're tied to the DNSSEC trust model. Top down, single root (per >TLD), single certification policy that may not match an application >or user's needs, etc. Not good! But reasonable for some purposes. This is not an either-or situation. Any kind of certs can be handed out. Some certs are PKIX certs where you pick the root of trust. Other certs are DNSSEC certs (which is really what a signed domain key is). I don't think there is a good reason to restrict the certs to a single format or a single trust model, but I could be wrong. >Of course, using certs brings with it the problem of revocation. Why should it? The PKIX world has been in denial about revocation for years. :-) FWIW, in the IPsec world, CRLs are often ignored. (Well, in one case of a major vendor, their code could not distribute CRLs and actually crashed if it received a CRL, but they didn't discover this for quite a while because no one who they were interoperating with was giving CRLs....) --Paul Hoffman, Director --Internet Mail Consortium