The CERT extension to DNS allows to place there a URI, a URI is smaller than a cert and stays in a udp packet. The x509v3 extension allows you to place a URI to look for PKI and CRL, so client are already able to deal with a lot of URIs (mainly http and ldap) Now you are looking for a cert or public key of a site or e-mail, you query the DNS that gives you the URI where to look for the PKI... As someone said the main problem is S/MIME which does not have a protocol to look for public keys globally, I think DNS can do the job... There just need to be a little bit of coordination and an agreed mapping and protocol to use DNS for a global PKI. Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: franck@sopac.org <mailto:franck@sopac.org> Web site: http://www.sopac.org/ <http://www.sopac.org/> Support FMaps: http://fmaps.sourceforge.net/ <http://fmaps.sourceforge.net/> Certificate: https://www.sopac.org/ssl/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -----Original Message----- From: Chris Evans [mailto:teknopup@bigvalley.net] Sent: Thursday, 13 June 2002 4:46 To: David Conrad; Derek Atkins Cc: Eric A. Hall; John Stracke; ietf; isdf@isoc.org; Key Distribution; openssl-users@openssl.org Subject: Re: Global PKI on DNS? Then a global PKI protocol server needs to be invented so you can just get the certs from the domain in question. i dont wanna see DNS system bogged down by this stuff. IMHOOC! use dns to get the IP and request from its IP the pki doc.. duh. 6/11/02 6:51:26 PM, Derek Atkins <derek@ihtfp.com> wrote: >David Conrad <david.conrad@nominum.com> writes: > >> Why do you think the roots and TLDs would get millions of TCP queries for >> their certs? Why would anyone want to get the certs of the roots or tlds?