RE: Global PKI on DNS?

[Greg Hudson <ghudson@MIT.EDU>]

(CC list pruned to keydist.)

On Thu, 2002-06-13 at 10:08, John Stracke wrote:
> >The CERT extension to DNS allows to place there a URI, a URI is smaller
> than
> >a cert and stays in a udp packet.
> 
> Bootstrap problem: how can you trust the results of the URI?

You're confusing two different things people want to do with DNS and
public keys, I think.

Some people just want to use DNS as a lookup service for certificates. 
You trust the certificates because they're signed by a CA, not because
of DNSSEC.  This might be a good idea (because DNS is an existing,
replicated, mature, cached service) or it might be a bad idea (because
DNS is an old protocol with limited transfer size and no congestion
control, etc.).

Some people want to use DNSSEC to protect application keys or to
additionally protect certificates.  You can do this by putting keys in
DNS, or by putting key fingerprints in DNS and looking up the keys some
other way, or a bunch of other variations.  This might be a good idea
(because it unifies naming and authentication, because it's simpler than
X.509, etc.) or it might be a bad idea (because it encourages a single
authentication root, because DNS administrators aren't smart enough to
handle keys, etc.).

The people you're responding to were probably only talking about the
first goal.  The appropriate class of argument is not "but then we can't
trust the results of the URI, because it's not protected by DNSSEC" but
"I want to use DNS instead of HTTP because I think it's a better service
for that purpose."  (Or "because it's simpler" or whatever.  I'm not
trying to argue for one side or the other right now.)