To:
EKR <ekr@rtfm.com>
Cc:
Key Distribution <keydist@cafax.se>
From:
David Conrad <david.conrad@nominum.com>
Date:
Wed, 12 Jun 2002 08:18:00 -0700
In-Reply-To:
<kjptywli8w.fsf@romeo.rtfm.com>
Sender:
owner-keydist@cafax.se
User-Agent:
Microsoft-Entourage/10.1.0.2006
Subject:
Re: Global PKI on DNS?
[cc reset to keydist] Hi, On 6/12/02 6:49 AM, "Eric Rescorla" <ekr@rtfm.com> wrote: > If all you want to do is cram PKIX/X.509 certs into the DNS, the > question becomes: why? Because: > Nearly all of the major IETF security protocols (TLS, IPsec, OpenPGP) > already have their own certificate discovery mechanism More specifically, as far as I can tell (and, of course, I'm not a "card carrying credentialed security person", so I shouldn't speak out of turn, but...), none of the myriad existing key distribution mechanisms have been deployed on anything like a significant scale. Why reinvent the wheel each time a new protocol is developed? Rgds, -drc