You are right that the scheme I proposed inn 1422 did not succeed, and today I would not suggest it. But, the reason I would not suggest it today is because I have come to believe that one should adopt CAs that are authoritative for the certs they issue, not "trusted" third parties. The DNS root is an example of such a CA, whereas RSA (proposed as the IPRA) was not. If we deploy DNSSEC in a full, top down fashion, the effect is the same as what Kevin is suggesting, expect that we would be using a standard cert format that is employed by many security protocols.
steve
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf