To:
"RL 'Bob' Morgan" <rlmorgan@washington.edu>
Cc:
openssl-users@openssl.org, ietf <ietf@ietf.org>, <isdf@isoc.org>, Key Distribution <keydist@cafax.se>
From:
Eric Rescorla <ekr@rtfm.com>
Date:
12 Jun 2002 10:03:55 -0700
In-Reply-To:
"RL 'Bob' Morgan"'s message of "Wed, 12 Jun 2002 09:50:49 -0700 (PDT)"
Reply-to:
EKR <ekr@rtfm.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
"RL 'Bob' Morgan" <rlmorgan@washington.edu> writes:
> On 12 Jun 2002, Eric Rescorla wrote:
>
> > Yes, because it's an edge case.
>
> So: "scalability is an edge case". I will restrain myself from
> commenting further on this point.
Good, because that's not what I said.
I expect peers to send full cert chains to a small number of common
roots. There's no reason this can't be made to scale, and since
it's the only thing that works at all now, there's every reason to
expect that it's what we'll continue to be using in the future.
> > We barely have any PKI at all, I think it's a little early to start
> > worrying about cross-certification.
>
> I'm sure you're aware that many folks, including Your Federal Government,
> are designing and building systems that rely on cross-certification even
> as we type. You may think these are doomed to failure (I have my doubts
> myself) but you can't deny that they have requirements to meet.
As you say, I think that those systems are doomed to failure. Even if
I didn't it's not at all clear to me that the number of cross-linking
certificates is going to be anywhere near large enough to require
them to be fetched via DNS.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/