Harald,
You are right that the scheme I proposed inn 1422 did not succeed,
and today I would not suggest it. But, the reason I would not suggest
it today is because I have come to believe that one should adopt CAs
that are authoritative for the certs they issue, not "trusted" third
parties. The DNS root is an example of such a CA, whereas RSA
(proposed as the IPRA) was not. If we deploy DNSSEC in a full, top
down fashion, the effect is the same as what Kevin is suggesting,
expect that we would be using a standard cert format that is employed
by many security protocols.
steve
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf