On 6/11/02 6:51 PM, "Derek Atkins" <derek@ihtfp.com> wrote: > David Conrad <david.conrad@nominum.com> writes: > >> Why do you think the roots and TLDs would get millions of TCP queries for >> their certs? Why would anyone want to get the certs of the roots or tlds? > > Just to play devil's advocate, if a resolver was going to track a > signature chain all the way back up, it's going to have to request the > KEY/SIG records for all the parent domains all the way back to the > root. Yes. Thanks. I'm quite well aware of how DNSSEC works. Which is completely unrelated to putting _certificates_ into the DNS. You don't even have to DNSSEC sign certificates in the DNS since people put trust in their CAs. There is no reason anyone would care about the root or TLD certificates (unless they had communication relevant to the root or TLD certificate owners). There is nothing stopping anyone from putting their certificates into the DNS and making use of the DNS characteristics of global scalability, reliability, redundancy, and caching. Indeed, it would appear some people are already doing so. However, mention PKI and DNS in the same sentence and you get a fascinating array of knee jerk reactions. All very amusing except for the fact that the knee jerking is hindering efforts by folks with valid problems from standardizing on a (note: not _THE_, _A_) mechanism using the DNS to distribute key information. Is it just me or is the IETF becoming the place to not standardize protocols? Rgds, -drc