-----BEGIN PGP SIGNED MESSAGE-----
As the chief instigator of "Open-PGP", I intended this 'soon-to-be'
Working Group to specify the following...
...
2. PGP as a Public Key (Cert) Infrastruture
How is the DNSSEC group going on its work to allow public keys to be
supplied by the DNS? This would seem a good method of PGP keyserving,
as:
a) It is totally distributed - there is no way the current system of
replicated master keyservers will scale to the millions and millions of
users we are aiming for;
b) PGP, in effect, uses e-mail addresses as its DNs. Ultimately, as Carl
Ellison's SPKI work says, a PGP certificate represents a cyberspace
entity, not a physical one. The most we can logically certify on a key,
in a large-scale PKI, is that the public key represents a user within a
domain who receives e-mail at that address. For example, my public key
ID is 'Ian Brown <I(_dot_)Brown(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk>' - but
unless I meet you
personally and give you a copy of my fingerprint/full key, there is no
way to make a connection between the virtual and physical me. And
really, there is little need to. All that is needed - which DNSSEC could
provide - is a guarantee by the cs.ucl.ac.uk domain that the public key
you possess really does belong to the person who receives mail at
I(_dot_)Brown(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk(_dot_)
However, it will not be nearly as easy if we use a SDSI solution where
the public key IS the DN. If I receive a PGP-encrypted message and know
only (say) the key ID, with a distributed system, where do I go to
retrieve the key? I think if we are to go the SDSI/SPKI route, we need
to embrace it wholeheartedly - so there just will not be a global
namespace, and so little need for keyservers.
Apologies if this if gibberish, but trying to reconcile DNSSEC, SDSI,
SPKI, X.509 and PGP is making my head spin a bit!
Ian.
-----BEGIN PGP SIGNATURE-----
Version: Cryptix 2.21
iQCVAgUANBkgGZpi0bQULdFRAQHOVQP/YVSrUSoJk0wzhj86E4xWjptEKa20uhtLSZ+wlxv7v8LL
PPrJwsFgjfhumGqAL7EGTKUKSROGDmUsMgQ5rUWEOTBzvq6cjj4pySFfizvQnfOsYMcVopPoWuuX
SHAJjKOUQa6+o46Q/TRz1t2i2C5merJWczNlasxpn++k2nqulJk=
=/3eQ
-----END PGP SIGNATURE-----