David Conrad <david.conrad@nominum.com> writes: > There is no reason anyone would care about the root or TLD certificates > (unless they had communication relevant to the root or TLD certificate > owners). There is nothing stopping anyone from putting their certificates > into the DNS and making use of the DNS characteristics of global > scalability, reliability, redundancy, and caching. Indeed, it would appear > some people are already doing so. > > However, mention PKI and DNS in the same sentence and you get a fascinating > array of knee jerk reactions. All very amusing except for the fact that the > knee jerking is hindering efforts by folks with valid problems from > standardizing on a (note: not _THE_, _A_) mechanism using the DNS to > distribute key information. If all you want to do is cram PKIX/X.509 certs into the DNS, the question becomes: why? Nearly all of the major IETF security protocols (TLS, IPsec, OpenPGP) already have their own certificate discovery mechanism and therefore have no need to have certificates in the DNS. TLS, in particular, wouldn't know what to do with them if they were there. The only IETF security protocol protocol which I can think of that doesn't have a mechanism is S/MIME. The problem with S/MIME only exists when someone wants to send an encrypted e-mail to someone who you've never spoken to before. (Certificates are already delivered along with signed messages). But then, I'm not sure that I see enough deployment of S/MIME or S/MIME certificates to find this a very compelling argument.... -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/