"William H. Geiger III" <whgiii(_at_)invweb(_dot_)net> writes:
I see some serious problems with using the DNS for key lookups &
distribution.
- -- What do we do with keys than do not have a "domain"?
Manage them some other way, or not at all. Once of the nice things
about PGP is that you don't need to follow the rules. However, one
thing the IETF has learned is that to have global interoperability,
you need to have some ground rules, usually known in the IETF as a
"mandatory-to-implement" protocol/transform/whatever. Implementations
are free to do other things as well, and domainless keys seem to fall
in that category. Blacknet can get their key out by periodic posts to
cypherpunks, or whatever.
- -- What do we do with sites that do not wish to manage PGP keys?
(currently the PKI is being done on a volentary basis).
What did we do with sites that did not wish to manage DNS servers?
As clients began to use DNS and administrators stopped mainaining
HOSTS.TXT, such sites evolved or perished. We certainly need a
transition period, where users with uncooperative domain admins can
still publish their keys. Whatever is proposed (DNS, LDAP, or
something else), if it is distributed (as it must be, to scale),
getting sites to use it will require time and education.
- -- How do we solve the problem of redundance? ie where are the backups?
How do we solve the problem of redundance with DNS? ie where are the
backups?
DNS inherently supports secondary servers.
- -- How do we handle keys that cover multiple domains?
How do we handle hosts named in multiple domains?
CNAMEs are the obvious answer, or you store the key in both domains
(similar to having multiple A records).
- -- What do we do about domains where PGP is illegal?? (Russia, France,
China, Cuba, ...)
The IETF does not concern itself with local politics. IPsec is
mandatory for IPv6, and DES is mandatory for IPsec. DES is illegal in
those countries, too, but IPsec and IPv6 are progressing on the
standards track with DES as a mandatory transform regardless.
Governments which insist on maintaining such policies can evolve or
perish :-)
All that said, I'm not conviced DNS is the right infrastructure. But
you'll need to come up with some better objections.
Marc