On Sun, 14 Sep 2003, Sergey Babkin wrote: > Dean Anderson wrote: > > > > I propose we use DNS to keep the meeting minutes. > > > > Seriously, two things: This should be on namedroppers, and I have some > > issues with it. Most obvious being that LDAP is already used in this > > As far as I understand, LDAP has a different scope: it's intented > to be used within an organization while DNS has a world-wide > distribution. LDAP, like X.500, is designed with a globably unique namespace. I understand there are patches to do referals to other servers based on DNS lookups of the CN. I've never run them, so I can't say to much about the details. But I guess it works. > > capacity. Secondly, there are multiple mail servers that handle a message. > > Just look at the headers from an ietf list message. Having each mailserver > > do these lookups and then sign the message many times is a lot of work, > > and adds many times more text to the message in the form of signatures. > > In the simplest way it's enough to sign only at the first server > that receives the message from the user and check the signature > only on the last server that drops the message into an user's > mailbox. OK. > > Further down on the list is the comment that mailserver authentication > > isn't widely used. > > Well, the e-mail authentication is only one use of the keys in DNS. > Actually, even the use of them for remote login is such not a bad idea: > when establishing a login instead of requesting a public key > from the user by some other means, the admininistrator can just > pull it from DNS and store locally to prevent the possibility of > spoofing in the future. It could have been spoofed in the first place. And login assumes I always have a static IP. If I have a dynamic IP, am I supposed to do a dynamic update of my key? --Dean