I was wondering if the best system to build a global PKI wouldn't be the DNS system already in place?
The root servers would share the ROOT Certificates and would sign a certificate to each .org .com .net .fr,... managers of this domains...Which in turn would use these certificates to sign sub domains certificates...
The issued certifcates would have a constraint on the domain name to ensure that the certificate can only be used in sub domains... and would allow to be used for anything (web server, imap server, e-mail, code, document,...)
There would be an extension to the DNS protocol to add a type record which would allow to extract the certificate and the list of revoked certificates...
The system would have to be quite secure but DNSSec is in place now...
It would be the easiest way as apparently nobody is trying to build a global PKI infrastructure and LDAP people can't agree on a global standard to link each ldap server to each other, which DNS has...
Comments?
Cheers.