On Wed, 13 Aug 2003 15:05:49 -0700 Blake Ramsdell
<blake(_at_)brutesquadlabs(_dot_)com> wrote:
A better question for the DNS distribution of certificates is whether or
not this smells like it would be the most likely thing to get deployed.
My understanding is that you would need DNS servers that supported the
particular record types required for this functionality, as well as
administrative tools to upgrade those records that are different than
typical DNS administration tools. To me, that doesn't smell as good.
Actually, I think that there are two barriers:
1. Deployment of DNS-SEC. People have to go out of their way to do it
right now. It takes some work both to deploy the right software and to
get the relationship set up with the domain registration service. Not
all services offer it.
2. Client support. Basically this means that Outlook, Outlook Express,
Netscape (and down the list) of clients have to support it. It means a
CSP for the Windows twins and a module in the new Netscape/Mozilla
security API.
Of the two, the second is the hardest. Policy, usage and deployment of
S/MIME and PKI is very much shaped by the implementation of the clients.
Any changes have to propogate through the clients to be useful.
Cheers.
---
Steve Hole
Chief Technical Officer - Electronic Billing and Payment Systems
ACI Worldwide
Email: holes(_at_)aciworldwide(_dot_)com
Phone: 780 424 4922