"Blake Ramsdell" <blake(_at_)brutesquadlabs(_dot_)com> writes:
If I were going to hazard a guess about widely deployed public
certificate repositories, I would say that there would be a better
argument for LDAP than anything else. Notice the careful wording here
;). As much as the attempts to automatically map from an email address
to an LDAP directory containing a certificate for that email address
might not have progressed as well as we might like, I think that there
is some hope of that being addressed through the SRV record which is (as
far as I can tell) widely supported by DNS implementations.
I believe that what is lacking is not a technical solution (DNS CERT
RR, LDAP and SRV, etc) but a guideline document, supported by the
S/MIME community, that you can point at when e-mail application makers
ask question such as the one that started this thread.
One reason why the DNS CERT solution has been proposed, may be that
the LDAP via SRV idea hasn't been fully documented in a Internet-wide
S/MIME environment, leaving the problem unsolved.
A better question for the DNS distribution of certificates is whether or
not this smells like it would be the most likely thing to get deployed.
My understanding is that you would need DNS servers that supported the
particular record types required for this functionality,
Support for this was added to major servers before 2000 or
thereabouts, so many are already using such DNS servers.
as well as administrative tools to upgrade those records that are
different than typical DNS administration tools.
Yes, someone, somewhere will have to do work to make the idea happen.
One argument for certificates in DNS could be that many ISPs are
familiar with running public DNS, but not as many ISPs run public
LDAP. So instead of upgrading their tools, they would have to learn
new tools with LDAP. [All under the assumption that ISPs will be
required to administer the certificate directory, which I'm not sure
is the best solution.]
Regards,
Simon