To:
Steve Hanna <steve.hanna@sun.com>, Paul Hoffman / IMC <phoffman@imc.org>
Cc:
Key Distribution <keydist@cafax.se>
From:
David Conrad <david.conrad@nominum.com>
Date:
Thu, 03 Jan 2002 11:12:38 -0800
Delivery-Date:
Thu Jan 3 20:12:39 2002
In-Reply-To:
<3C34737F.5275ED79@sun.com>
Sender:
owner-keydist@cafax.se
User-Agent:
Microsoft-Entourage/10.0.0.1331
Subject:
Re: From whence we came...
Steve, On 1/3/02 7:06 AM, "Steve Hanna" <steve.hanna@sun.com> wrote: > I'm pretty sure that we want certs here, not just keys. Putting keys > in DNS and relying on DNSSEC to authenticate the keys means that > you're tied to the DNSSEC trust model. Top down, single root (per > TLD), single certification policy that may not match an application > or user's needs, etc. Not good! I'd argue it is better than having no certification policy. Nor is using the DNSSEC trust model exclusive of all other trust models. I suspect it is good enough for most uses. > Of course, using certs brings with it the problem of revocation. > And certs are often big, so retrieving them from DNS is problematic. Problematic in that it causes a fallback to TCP or problematic in other ways? Rgds, -drc