Steve Hole <steve(_dot_)hole(_at_)messagingdirect(_dot_)com> writes:
On Wed, 13 Aug 2003 15:05:49 -0700 Blake Ramsdell
<blake(_at_)brutesquadlabs(_dot_)com> wrote:
A better question for the DNS distribution of certificates is whether or
not this smells like it would be the most likely thing to get deployed.
My understanding is that you would need DNS servers that supported the
particular record types required for this functionality, as well as
administrative tools to upgrade those records that are different than
typical DNS administration tools. To me, that doesn't smell as good.
Actually, I think that there are two barriers:
1. Deployment of DNS-SEC. People have to go out of their way to do it
right now. It takes some work both to deploy the right software and to
get the relationship set up with the domain registration service. Not
all services offer it.
Note that distributing certificate DNS does not depend on DNSSEC.
Thus the argument that DNSSEC may or may not be deployable is not
relevant to distributing certificate via DNS.
However, should DNSSEC (or some close approximation to it) happen, it
would make certificates distributed via DNS become integrity protected
and authenticated via the DNSSEC trust chain. LDAP or XKMS using SRV
records does not get the same benefit.
2. Client support. Basically this means that Outlook, Outlook Express,
Netscape (and down the list) of clients have to support it. It means a
CSP for the Windows twins and a module in the new Netscape/Mozilla
security API.
Since mail clients cannot find certificates for arbitrary users today,
I believe clients must be modified regardless of the solution chosen.
Even here there is an advantage for DNS: mail clients already
implement DNS. There is no need to open ports in firewalls etc for
LDAP or XKMS. There is no need to implement new client code in the
mail client. Instead modify the existing code to query for a CERT
record where it now queries for MX and A records. Yes, I know this
doesn't apply in all situations, such as corporate mode Outlook and
Exchange, which doesn't use Internet protocols to send and receive
mail. But we are here to find a solution for applications that uses
IETF standards, not Microsoft implementations, aren't we?
Regards,
Simon