-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As far as validating email addresses, DNSSEC is an alternative to the PGP
web of trust model. It basically uses a hierarchical key certification
structure based on the DNS hierarchy. The idea is that the administrator
of pgp.com would be in the best position to validate addresses within that
domain, like hal(_at_)pgp(_dot_)com(_dot_)
One problem with this is that the administrator may not be trustworthy,
and/or that there may be too many users for the administrator to
adequately check identity. I don't know how many domain names there are,
probably hundreds of thousands. The administrator of .com is going to
have a big job making sure that every tom-dick-and-harry.com has the right
key registered. Likewise it may be easy in some cases to persuade a
low-level DNS administrator to put out a fake key.
DNSSEC is better than nothing, but it is no substitute for key
certifications by people you know and trust.
We looked into putting PGP certificates into the DNS as an alternative, so
that you would use DNS to find the keys (given an email address) but that
the keys could have other signatures on them (possibly in addition to the
DNSSEC domain signature). You still have the reverse lookup problem (finding
key given keyid), and at this point it looks like LDAP and HTTP are more
promising approaches for key distribution.
Hal Finney
hal(_at_)pgp(_dot_)com
hal(_at_)rain(_dot_)org
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNClLq8Dh8jnv1nHwEQJmcACeL/7CnDTDZtLPgEieuW2TawghJdsAnjpm
3OmSV2j+B/GTouBJtipj0wWt
=XkW7
-----END PGP SIGNATURE-----