David Conrad <david(_dot_)conrad(_at_)nominum(_dot_)com> writes:
There is no reason anyone would care about the root or TLD certificates
(unless they had communication relevant to the root or TLD certificate
owners). There is nothing stopping anyone from putting their certificates
into the DNS and making use of the DNS characteristics of global
scalability, reliability, redundancy, and caching. Indeed, it would appear
some people are already doing so.
However, mention PKI and DNS in the same sentence and you get a fascinating
array of knee jerk reactions. All very amusing except for the fact that the
knee jerking is hindering efforts by folks with valid problems from
standardizing on a (note: not _THE_, _A_) mechanism using the DNS to
distribute key information.
If all you want to do is cram PKIX/X.509 certs into the DNS, the
question becomes: why?
Nearly all of the major IETF security protocols (TLS, IPsec, OpenPGP)
already have their own certificate discovery mechanism and therefore
have no need to have certificates in the DNS. TLS, in particular,
wouldn't know what to do with them if they were there.
The only IETF security protocol protocol which I can think of that
doesn't have a mechanism is S/MIME. The problem with S/MIME only
exists when someone wants to send an encrypted e-mail to someone
who you've never spoken to before. (Certificates are already
delivered along with signed messages). But then, I'm not sure
that I see enough deployment of S/MIME or S/MIME certificates to
find this a very compelling argument....
-Ekr
--
[Eric Rescorla ekr(_at_)rtfm(_dot_)com]
http://www.rtfm.com/