ietf
[Top] [All Lists]

Re: Global PKI on DNS?

2002-06-09 05:40:24
Shouldnt we have this discussion in keydist instead? I know keydist isnt a 
working group yet but we do have a list for such discussion...

-James Seng

listadm(_at_)loki(_dot_)ietf(_dot_)org wrote:

on 6/8/2002 8:22 AM Franck Martin said the following:

I was wondering if the best system to build a global PKI wouldn't be the
DNS system already in place?

This is an ongoing argument. Essentially there are two camps:

  Pro--there's a global database out there, let's put useful stuff
       into it. Certs is a no-brainer, but people have also argued for
       baseball scores, usernames, and everything else short of kitchen
       sink inventories.

  Con--the more crap you put into DNS, the less usable it becomes for
       its primary purpose of providing fast and lightweight lookups
       for Internet resources. While certs can be argued to be in that
       camp, they cannot be handled with fast and lightweight lookups.

As other people have already pointed out, the use of large objects
requires that clients and servers use TCP for lookups. TCP imposes a large
burden on servers (especially busy servers) in comparison to UDP. Add to
that the fact that many DNS systems do not support the use of TCP for
queries whatsoever, meaning that it just won't work with a large number of
systems in the first place. And even if it did work, it would result in
other simple lookups failing, essentially punishing everybody for the
benefit of a single application.

It would be the easiest way as apparently nobody is trying to build a
global PKI infrastructure and LDAP people can't agree on a global
standard to link each ldap server to each other, which DNS has...

There is some work underway to develop an LDAP infrastructure for the
Internet community, with DNS being used as a stub to kickstart the
process. That will get you the same thing as what you want, but without
crushing DNS as a result.

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/




<Prev in Thread] Current Thread [Next in Thread>