1)This is what I said LDAP is highly unstructured at the global level
where DNS is not...
2)Wow, that's sheer load...How will it scale with more and more people
on the net? However for certifcate how many time your browser check for
a root certificate? Never... MS has built-in inside the windows update a
system to donload new root certificates but that's all. You get it one
time, you trust and forget about it till expiration time... as toor
servers and ccTLD and gTLD are likely to be srious people then you don't
need either to make any query to get the certificates. You just get them
one time...
Cheers.
On Sat, 2002-06-08 at 02:27, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Sat, 08 Jun 2002 13:22:28 -0000, Franck Martin said:
> I was wondering if the best system to build a global PKI wouldn't be the
> DNS system already in place?
No.
1) There's *NOT* a good mapping between the DNS and LDAP (hint - DN=, O=,
and OU+ can be at the same level...)
2) DNS has to be *FAST*, especially at the root - we're talking on the
order of 200K queries a *SECOND*. You figure out how to do that while
also tossing certificates around, let us know...
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech