To:
David Conrad <david.conrad@nominum.com>
cc:
Key Distribution <keydist@cafax.se>
From:
Eric Rescorla <ekr@rtfm.com>
Date:
Wed, 12 Jun 2002 08:28:59 -0700
In-reply-to:
Your message of "Wed, 12 Jun 2002 08:18:00 PDT." <B92CB438.C9C6%david.conrad@nominum.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
> [cc reset to keydist] I don't subscribe to this list, so you'll need to cc me if you expect me to reply to your replies. > On 6/12/02 6:49 AM, "Eric Rescorla" <ekr@rtfm.com> wrote: > > If all you want to do is cram PKIX/X.509 certs into the DNS, the > > question becomes: why? > > Because: > > > Nearly all of the major IETF security protocols (TLS, IPsec, OpenPGP) > > already have their own certificate discovery mechanism > > More specifically, as far as I can tell (and, of course, I'm not a "card > carrying credentialed security person", so I shouldn't speak out of turn, > but...), none of the myriad existing key distribution mechanisms have been > deployed on anything like a significant scale. Huh? You must have somehow missed the millions of SSL sites on the net. In any case, I'm not sure what you mean by "key distribution mechanisms". The protocols in question typically have a way for one peer to give the other their certificate. This is vastly easier than trying to insert a certificate into some DNS server. > Why reinvent the wheel each time a new protocol is developed? As protocol complexity goes, the difficulty of moving the certificates around when the associations are created is really trivial, and it's extremely convenient to have things be self-contained. -Ekr