ietf-smime
[Top] [All Lists]

DNS CERT vs. LDAP (was: RE: PKI and S/MIME)

2003-08-13 17:05:29

-----Original Message-----
From: Simon Josefsson [mailto:jas(_at_)extundo(_dot_)com] 
Sent: Wednesday, August 13, 2003 4:46 PM
To: Blake Ramsdell
Cc: 'Anders Rundgren'; ietf-smime(_at_)imc(_dot_)org; 'Sean P. Turner'
Subject: Re: PKI and S/MIME

I believe that what is lacking is not a technical solution (DNS CERT
RR, LDAP and SRV, etc) but a guideline document, supported by the
S/MIME community, that you can point at when e-mail application makers
ask question such as the one that started this thread.

Yes, this was the way I indeed started this thread ("PKI and S/MIME"),
by saying "select relevant other work and profile it for use in the
S/MIME interpersonal messaging domain" ;).  I think we're on the same
page.

My only point about LDAP is that I wanted to illustrate some of the
criteria for any potential profile by comparing two certificate
repository methods, and pointing out what I believe is a relevant
difference.

One reason why the DNS CERT solution has been proposed, may be that
the LDAP via SRV idea hasn't been fully documented in a Internet-wide
S/MIME environment, leaving the problem unsolved.

But once again, if someone held a gun to my head and told me to try and
guess if CERT records and the infrastructure to maintain them would
achieve traction before LDAP and SRV records would, I would say LDAP and
SRV records.  This may be a matter of personal taste, but I like to
think that it is a practical answer based on limited experience with
managing my own domains.

as well as administrative tools to upgrade those records that are
different than typical DNS administration tools.

Yes, someone, somewhere will have to do work to make the idea happen.

I think the question is whether or not "someone, somewhere" for DNS CERT
records is better than "been there, done that" for LDAP or other
repositories.

Blake


<Prev in Thread] Current Thread [Next in Thread>