Shouldnt we have this discussion in keydist instead? I know keydist isnt a working group yet but we do have a list for such discussion... -James Seng listadm@loki.ietf.org wrote: > > on 6/8/2002 8:22 AM Franck Martin said the following: > > > I was wondering if the best system to build a global PKI wouldn't be the > > DNS system already in place? > > This is an ongoing argument. Essentially there are two camps: > > Pro--there's a global database out there, let's put useful stuff > into it. Certs is a no-brainer, but people have also argued for > baseball scores, usernames, and everything else short of kitchen > sink inventories. > > Con--the more crap you put into DNS, the less usable it becomes for > its primary purpose of providing fast and lightweight lookups > for Internet resources. While certs can be argued to be in that > camp, they cannot be handled with fast and lightweight lookups. > > As other people have already pointed out, the use of large objects > requires that clients and servers use TCP for lookups. TCP imposes a large > burden on servers (especially busy servers) in comparison to UDP. Add to > that the fact that many DNS systems do not support the use of TCP for > queries whatsoever, meaning that it just won't work with a large number of > systems in the first place. And even if it did work, it would result in > other simple lookups failing, essentially punishing everybody for the > benefit of a single application. > > > It would be the easiest way as apparently nobody is trying to build a > > global PKI infrastructure and LDAP people can't agree on a global > > standard to link each ldap server to each other, which DNS has... > > There is some work underway to develop an LDAP infrastructure for the > Internet community, with DNS being used as a stub to kickstart the > process. That will get you the same thing as what you want, but without > crushing DNS as a result. > > -- > Eric A. Hall http://www.ehsco.com/ > Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ >