ietf
[Top] [All Lists]

Re: Global PKI on DNS?

2002-06-12 10:04:14
"RL 'Bob' Morgan" <rlmorgan(_at_)washington(_dot_)edu> writes:

On 12 Jun 2002, Eric Rescorla wrote:

Yes, because it's an edge case.

So:  "scalability is an edge case".  I will restrain myself from
commenting further on this point.
Good, because that's not what I said.

I expect peers to send full cert chains to a small number of common
roots. There's no reason this can't be made to scale, and since
it's the only thing that works at all now, there's every reason to
expect that it's what we'll continue to be using in the future.

We barely have any PKI at all, I think it's a little early to start
worrying about cross-certification.

I'm sure you're aware that many folks, including Your Federal Government,
are designing and building systems that rely on cross-certification even
as we type. You may think these are doomed to failure (I have my doubts
myself) but you can't deny that they have requirements to meet.
As you say, I think that those systems are doomed to failure. Even if
I didn't it's not at all clear to me that the number of cross-linking
certificates is going to be anywhere near large enough to require
them to be fetched via DNS.

-Ekr

-- 
[Eric Rescorla                                   ekr(_at_)rtfm(_dot_)com]
                http://www.rtfm.com/



<Prev in Thread] Current Thread [Next in Thread>