On Thu, 14 Aug 2003 01:45:51 +0200 Simon Josefsson <jas(_at_)extundo(_dot_)com>
wrote:
I believe that what is lacking is not a technical solution (DNS CERT
RR, LDAP and SRV, etc) but a guideline document, supported by the
S/MIME community, that you can point at when e-mail application makers
ask question such as the one that started this thread.
One reason why the DNS CERT solution has been proposed, may be that
the LDAP via SRV idea hasn't been fully documented in a Internet-wide
S/MIME environment, leaving the problem unsolved.
I agree. The problem with PKI has always been that it is difficult to
experiment. I think that we have enough real world experience now that
we should try some alternative things. I think that we do need to
experiment with this. It's time to come up with some working solutions
and then document them, not the other way around.
One argument for certificates in DNS could be that many ISPs are
familiar with running public DNS, but not as many ISPs run public
LDAP. So instead of upgrading their tools, they would have to learn
new tools with LDAP. [All under the assumption that ISPs will be
required to administer the certificate directory, which I'm not sure
is the best solution.]
Yes.
Cheers.
---
Steve Hole
Chief Technical Officer - Electronic Billing and Payment Systems
ACI Worldwide
Email: holes(_at_)aciworldwide(_dot_)com
Phone: 780 424 4922