To:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
cc:
Key Distribution <keydist@cafax.se>
From:
Eric Rescorla <ekr@rtfm.com>
Date:
Wed, 12 Jun 2002 15:27:28 -0700
In-reply-to:
Your message of "Wed, 12 Jun 2002 14:42:51 EDT." <200206121842.g5CIgq101671@marajade.sandelman.ottawa.on.ca>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
> > >>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes: > >> >>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes: > Eric> Nearly all of the major IETF security protocols (TLS, IPsec, > Eric> OpenPGP) already have their own certificate discovery mechanism and > Eric> therefore > >> I guess I'm ignorant of them. > >> > >> Your email MTA, seems to be 198.144.203.251. I want to send you an > >> IPsec secured ping, where do I look for your key? > >> > >> If email MTA supported STARTTLS, where would I look to get a copy of > >> the certificate, other than inside the protocol? > > Eric> So, what you mean to say here is: "Aside from the place where I'm > Eric> supposed to get certificates from, where am I supposed to get > Eric> certificates from?" > > Yes, where am I supposed to get the certificates for the keys which signed > the certifcate that you gave me in protocol? You can't be assuming that > there will always be a single level of trust, and we will all use the same CA? No, I'm assuming that there are cert chains rooted to a few common CAs. Since that's the case now, it seems like a pretty good assumption. There's no need to assume that such chains are short. > Well, all the MUAs that I've used try finger first. > The key servers are useful, true. But they are not examples of distributed > systems. Try, for instance, to get control which ekr@rtfm.com key is returned > at a given time, or in which order. You can't do that. You could do that if > it was in your DNS server. You must be assuming that people control their own DNS servers. This is not the case the vast majority of the time. -Ekr