On Sun, 14 Sep 2003, Sergey Babkin wrote:
Dean Anderson wrote:
I propose we use DNS to keep the meeting minutes.
Seriously, two things: This should be on namedroppers, and I have some
issues with it. Most obvious being that LDAP is already used in this
As far as I understand, LDAP has a different scope: it's intented
to be used within an organization while DNS has a world-wide
LDAP, like X.500, is designed with a globably unique namespace. I
understand there are patches to do referals to other servers based on DNS
lookups of the CN. I've never run them, so I can't say to much about the
details. But I guess it works.
capacity. Secondly, there are multiple mail servers that handle a message.
Just look at the headers from an ietf list message. Having each mailserver
do these lookups and then sign the message many times is a lot of work,
and adds many times more text to the message in the form of signatures.
In the simplest way it's enough to sign only at the first server
that receives the message from the user and check the signature
only on the last server that drops the message into an user's
Further down on the list is the comment that mailserver authentication
isn't widely used.
Well, the e-mail authentication is only one use of the keys in DNS.
Actually, even the use of them for remote login is such not a bad idea:
when establishing a login instead of requesting a public key
from the user by some other means, the admininistrator can just
pull it from DNS and store locally to prevent the possibility of
spoofing in the future.
It could have been spoofed in the first place. And login assumes I always
have a static IP. If I have a dynamic IP, am I supposed to do a dynamic
update of my key?