To:
Simon Josefsson <simon+keydist@josefsson.org>
cc:
Keith Moore <moore@cs.utk.edu>, keydist@cafax.se
From:
Keith Moore <moore@cs.utk.edu>
Date:
Wed, 12 Jun 2002 17:46:02 -0400
In-reply-to:
(Your message of "Wed, 12 Jun 2002 23:19:55 +0200.") <iluu1o89ouc.fsf@latte.josefsson.org>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
> The reason for using DNS to distribute certs isn't just some technical > engineering idea that perhaps DNS could be tweaked into performing > this role, the reason is that identity based security need to be > connected to the system that manages identities. > > Now, whether certificates/keys are actually transfered on the wire > inside the DNS protocol or not is mostly irrelevant, the point is that > the function of finding someone's keying material given only their > name must work. I don't see how you can achieve that without > inserting data or a pointer in DNS [or some other identity management > system]. I agree with all of the above, except that I'm not convinced yet that how the certs are acturally transferred is "mostly irrelevant" it seems to me that the limitations of the DNS protocol do impose fairly severe contraints on the use of such certs which limit the applicabliity of sending certs using the DNS protocol. you absolutely do need the pointer to the cert server in DNS - the question in my mind is whether you actually want the certs themselves in DNS. Keith