On Thu, 14 Aug 2003 05:30:34 -0700 "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
We considered certs in the DNS and LDAP before designing XKMS and rejected
them. Both technologies have been available for at least 6 years with
negligible uptake.
This is true for LDAP, but is it true for DNS? What specific "deploy
certs in DNS" technology are you talking about?
We needed a new protocol because there was no acceptable
existing solution. Sometimes designing a new protocol from scratch is better
than attempting to use an inappropriate one.
Fair enough. Then you better figure out how, exactly, you are going to
deploy your new protocol for use with S/MIME. Specifically, you must do
what Blake suggests and write a profile for use. In particular, if I'm
sitting in my Netscape client and I want to send an encrypted message to
"Blake Ramsdell <blake(_at_)brutesquadlabs(_dot_)com>" without any prior
contact, how
am I going to do that?
That profile must describe:
1. The collection of services and publication points for accessing the
information.
2. The approach that a client must take to do the lookup and resolve the
requested certificate.
I'm sure that you can do it. I'm also sure that you are going to have to
do *something* with DNS because how are you ever going to find your xkms
server? If there is an external xkms global hierarchy planned, then
pardon me if I'm dubious, but who is going to run the root? (Hint: I'm
unlikely to like *any* answer to that last question :-).
Chers.
---
Steve Hole
Chief Technical Officer - Electronic Billing and Payment Systems
ACI Worldwide
Email: holes(_at_)aciworldwide(_dot_)com
Phone: 780 424 4922