To:
Keith Moore <moore@cs.utk.edu>
Cc:
David Conrad <david.conrad@nominum.com>, Key Distribution <keydist@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Wed, 12 Jun 2002 08:48:23 +0200 (CEST)
In-Reply-To:
<200206120436.g5C4amn00179@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
On Wed, 12 Jun 2002, Keith Moore wrote: > > OK, I'll bite. What are those problems? > > where to start? okay, first the fact that DNS RRs aren't very > extensible, so if you want to cram something new that doesn't quite fit > then you have an upgrade problem. resolvers are transparent to new rr types, secondary servers are beginning to be transparent and primary servers of course need to support the rr types they are serving. > second, DNS queries don't let you specify any parameters other than DNS > name, class, and a single integer query type, which isn't exactly a good > fit for "find me a cert that is signed by one of the N CAs that I trust, > and which has these properties and/or does not impose these > constraints". most applications would be enough with a simple query such as 'mail.foo.bar in cert ?' and can select the appropriate certificates out of what's returned themselves. if response size would be a problem, one could use _srv style naming or some napstr-like indirect naming. > DNS might be redundant, but I wouldn't want to emulate its reliability > record, or its performance. I've seen too many DNS queries take longer > than 30 seconds, too many servers providing obsolete information > (probably because the zone was updated without incrementing the serial > number, but sometimes because one server or another moved and they > didn't get the configuration adjusted correctly). misconfigured servers will always fail, no matter if they use dns, ldap or what have you. > it's almost as fun as trying to get old protocols to do things that they > were never designed (and aren't well-suited) to do! dns is pretty good at looking up some resource record, that do not change to often, based on a domain name. jakob