To:
Eric Rescorla <ekr@rtfm.com>
Cc:
David Conrad <david.conrad@nominum.com>, Key Distribution <keydist@cafax.se>
From:
Derek Atkins <derek@ihtfp.com>
Date:
12 Jun 2002 14:35:03 -0400
In-Reply-To:
<200206121658.g5CGwIW11251@romeo.rtfm.com>
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject:
Re: Global PKI on DNS?
Eric Rescorla <ekr@rtfm.com> writes: > Let's take a step back here: The message I was responding to was just > suggesting shoving X.509 certs into the DNS. I don't think that's of > much value. This is a different question from whether some parallel > DNS-based PKI would be of value. The value is the ability to use the existing infrastructure where: a) the naming is the same (domain names) b) the "delegations" are the same (domain names) c) you need this out-of-band certificate lookup capability. There are multiple issues going on here. One issue is using DNS _purely_ as a certificate lookup/distribution technology, where applications verify the certificate themselves. When the certificate is naming domain-name-like entities, it would seem that re-using the existing distributed database based on the same names would be a major win. The second issue is using the DNS (with DNSSEC) as a PKI. I know some peole (Keith) have major problems with that issue, so let's separate them out. > All of the interactive protocols have their own mechanisms. AS I said, > the screw cases are the store and forward encryption protocols, > i.e. S/MIME and PGP. PGP at least has it's own certificate > distribution mechanism (in fact, more than one). PGP doesn't define one, last I checked. There are the ad-hoc 'graff' and 'hkp' protocols, but they are ad-hoc. > I don't have any basic objection to using DNS as a certificate > distribution system for S/MIME Good, so maybe we can move forward. > , but I also don't think it's that > important or valuable. People can't even be bothered to get > certificates now, let alone arrange for their admin to cram them > in the DNS. Well, others seem to feel that this is either important or valuable. Since you don't have any objection to the concept, then perhaps we can still move forward. Just because you don't see the value does not imply that there is no value ;) > -Ekr -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com