On 09/22/2015 05:11 PM, Paul Wouters wrote: > On Tue, 22 Sep 2015, John C Klensin wrote: > >> However, if you believe that, because of trust issues, people >> get keys only from personal contacts rather than indirectly from >> public databases, why are we discussing yet another public >> database-based approach? Or are you convinced that the problem >> with the other public databases is that the DNS is inherently >> better for some reason such as the inability of third parties >> not associated with the domain in the address to add keys? > > Yes. > > The other common use problem is not being able to delete keys, so you end > up using a keyserver, get a (verified by WoT) key and then in response > you get a plaintext message saying "I forgot my passphrase so i cannot > delete/revoke my old key". With DNS, you can remove the key from DNS > without needing the private key or passphrase to it. > > Paul > Actually the DNS manipulation is not deleting a key; it's preventing it from being found. Revocation is "I, the signer of this revocation, declare that this key is not worthy of trust". (the difference between a CRL and a PGP-style revocation is who signs the revocation - both have their place in the pantheon of web-of-trust models.) Deleting from the DNS is just making the key (and its signatures) harder to find.