To:
Derek Atkins <derek@ihtfp.com>
cc:
David Conrad <david.conrad@nominum.com>, Key Distribution <keydist@cafax.se>
From:
Eric Rescorla <ekr@rtfm.com>
Date:
Wed, 12 Jun 2002 15:17:47 -0700
In-reply-to:
Your message of "12 Jun 2002 14:35:03 EDT." <sjmit4o5ors.fsf@kikki.mit.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
> Eric Rescorla <ekr@rtfm.com> writes: > > > Let's take a step back here: The message I was responding to was just > > suggesting shoving X.509 certs into the DNS. I don't think that's of > > much value. This is a different question from whether some parallel > > DNS-based PKI would be of value. > > The value is the ability to use the existing infrastructure where: > a) the naming is the same (domain names) > b) the "delegations" are the same (domain names) > c) you need this out-of-band certificate lookup capability. Yes, I know these arguments. My point was that that wasn't the issue I was addressing. > There are multiple issues going on here. One issue is using DNS > _purely_ as a certificate lookup/distribution technology, where > applications verify the certificate themselves. When the certificate > is naming domain-name-like entities, it would seem that re-using the > existing distributed database based on the same names would be a major > win. Except that, as I said, many of the important protocols already have their own distribution mechanisms. Those mechanisms are vastly easier than using DNS. > > , but I also don't think it's that > > important or valuable. People can't even be bothered to get > > certificates now, let alone arrange for their admin to cram them > > in the DNS. > > Well, others seem to feel that this is either important or valuable. > Since you don't have any objection to the concept, then perhaps we can > still move forward. I'd like to understand what's being moved forward with, first, namely, a cert distribution solution or a full PKIX replacement. -Ekr