To:
John Stracke <jstracke@incentivesystems.com>
CC:
keydist@cafax.se, ietf@ietf.org, isdf@isoc.org, openssl-users@openssl.org
From:
Peter Deutsch <pdeutsch@earthlink.net>
Date:
Tue, 11 Jun 2002 15:25:10 -0700
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
g'day,
John Stracke wrote:
>
> >Such software would not see this kind of data unless a user
> >of the server tried to use this stuff, and in that case I don't see
> >why that user couldn't upgrade her own software to get it to work.
>
> Because it's not their software? If I wanted to do PKI through DNS, and my
> ISP's server did not support TCP, I might be stuck. Personally, I don't
> depend on my ISP for DNS, but many users do.
So users wanting this new service will be pretty motivated to switch DNS
servers when the time comes, what's the big deal in that? Somebody (I
think it was Keith) suggested earlier in this thread that nobody should
be trusted with the single PKI root. Maybe the same sentiment applies to
DNS roots, as well?? Certainly it would seem to apply to trusting them
with a single DNS service provider at the subroot level...
(As he hides behind blast wall, to avoid flying shrapnel... ;-)
- peterd
--
-----------------------------------------------------------------------
Peter Deutsch peterd@earthlink.net
"I had to do an assignment on wild animals, and I decided to
do my report on alligators. To complete my research, I took a
trip to the zoo. I wanted to make a day of it, so I took along
my pet dog. I figured we could throw a little frisbee,
enjoy the sun, but boy was that trip a disaster. I had to
tell my teacher that my homework ate my dog..."
----------------------------------------------------------------------