Paul Wouters <paul@xxxxxxxxx> writes: > On Wed, 23 Sep 2015, John R Levine wrote: > >> Sure, but once again you're no better off than if you got the key >> anywhere else. I understand the argument for better key servers and >> maybe better ways to discover key servers (a URI record should do >> it), but I don't understand the argument for a whole new mechanism >> with new security, scaling, and semantic problems. > > Some people disagree with you and think DNSSEC is a viable PKI for their > intended use. These people want to use DNSSEC. We can give those people > an experimental RFC with OPENPGPKEY record, or we can force them to use > an individual submitted draft with a TXT record stalled until expiry. Or they can use the already specified CERT record, which GnuPG supports. Yes, CERT has its own share of problems, that you have explained, but I don't see that any of the issues you brought up with CERT (that I mostly agree with, FWIW) has had bearing on its deployment success or not. /Simon
Attachment:
signature.asc
Description: PGP signature