Shouldnt we have this discussion in keydist instead? I know keydist isnt a
working group yet but we do have a list for such discussion...
-James Seng
listadm(_at_)loki(_dot_)ietf(_dot_)org wrote:
on 6/8/2002 8:22 AM Franck Martin said the following:
I was wondering if the best system to build a global PKI wouldn't be the
DNS system already in place?
This is an ongoing argument. Essentially there are two camps:
Pro--there's a global database out there, let's put useful stuff
into it. Certs is a no-brainer, but people have also argued for
baseball scores, usernames, and everything else short of kitchen
sink inventories.
Con--the more crap you put into DNS, the less usable it becomes for
its primary purpose of providing fast and lightweight lookups
for Internet resources. While certs can be argued to be in that
camp, they cannot be handled with fast and lightweight lookups.
As other people have already pointed out, the use of large objects
requires that clients and servers use TCP for lookups. TCP imposes a large
burden on servers (especially busy servers) in comparison to UDP. Add to
that the fact that many DNS systems do not support the use of TCP for
queries whatsoever, meaning that it just won't work with a large number of
systems in the first place. And even if it did work, it would result in
other simple lookups failing, essentially punishing everybody for the
benefit of a single application.
It would be the easiest way as apparently nobody is trying to build a
global PKI infrastructure and LDAP people can't agree on a global
standard to link each ldap server to each other, which DNS has...
There is some work underway to develop an LDAP infrastructure for the
Internet community, with DNS being used as a stub to kickstart the
process. That will get you the same thing as what you want, but without
crushing DNS as a result.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/