Re: Global PKI on DNS?

[Eric Rescorla <ekr@rtfm.com>]

David Conrad <david.conrad@nominum.com> writes:
> There is no reason anyone would care about the root or TLD certificates
> (unless they had communication relevant to the root or TLD certificate
> owners).  There is nothing stopping anyone from putting their certificates
> into the DNS and making use of the DNS characteristics of global
> scalability, reliability, redundancy, and caching.  Indeed, it would appear
> some people are already doing so.
>
> However, mention PKI and DNS in the same sentence and you get a fascinating
> array of knee jerk reactions.  All very amusing except for the fact that the
> knee jerking is hindering efforts by folks with valid problems from
> standardizing on a (note: not _THE_, _A_) mechanism using the DNS to
> distribute key information.

If all you want to do is cram PKIX/X.509 certs into the DNS, the
question becomes: why?

Nearly all of the major IETF security protocols (TLS, IPsec, OpenPGP)
already have their own certificate discovery mechanism and therefore
have no need to have certificates in the DNS. TLS, in particular,
wouldn't know what to do with them if they were there.

The only IETF security protocol protocol which I can think of that
doesn't have a mechanism is S/MIME. The problem with S/MIME only
exists when someone wants to send an encrypted e-mail to someone
who you've never spoken to before. (Certificates are already
delivered along with signed messages). But then, I'm not sure
that I see enough deployment of S/MIME or S/MIME certificates to
find this a very compelling argument....

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/