Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/11/02 6:51 PM, "Derek Atkins" <derek@ihtfp.com> wrote:

> David Conrad <david.conrad@nominum.com> writes:
> 
>> Why do you think the roots and TLDs would get millions of TCP queries for
>> their certs?  Why would anyone want to get the certs of the roots or tlds?
> 
> Just to play devil's advocate, if a resolver was going to track a
> signature chain all the way back up, it's going to have to request the
> KEY/SIG records for all the parent domains all the way back to the
> root.  

Yes.  Thanks.  I'm quite well aware of how DNSSEC works.  Which is
completely unrelated to putting _certificates_ into the DNS.  You don't even
have to DNSSEC sign certificates in the DNS since people put trust in their
CAs.  

There is no reason anyone would care about the root or TLD certificates
(unless they had communication relevant to the root or TLD certificate
owners).  There is nothing stopping anyone from putting their certificates
into the DNS and making use of the DNS characteristics of global
scalability, reliability, redundancy, and caching.  Indeed, it would appear
some people are already doing so.

However, mention PKI and DNS in the same sentence and you get a fascinating
array of knee jerk reactions.  All very amusing except for the fact that the
knee jerking is hindering efforts by folks with valid problems from
standardizing on a (note: not _THE_, _A_) mechanism using the DNS to
distribute key information.

Is it just me or is the IETF becoming the place to not standardize
protocols?

Rgds,
-drc


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]