On 09/22/2015 05:11 PM, Paul Wouters wrote:
On Tue, 22 Sep 2015, John C Klensin wrote:
However, if you believe that, because of trust issues, people
get keys only from personal contacts rather than indirectly from
public databases, why are we discussing yet another public
database-based approach? Or are you convinced that the problem
with the other public databases is that the DNS is inherently
better for some reason such as the inability of third parties
not associated with the domain in the address to add keys?
Yes.
The other common use problem is not being able to delete keys, so you end
up using a keyserver, get a (verified by WoT) key and then in response
you get a plaintext message saying "I forgot my passphrase so i cannot
delete/revoke my old key". With DNS, you can remove the key from DNS
without needing the private key or passphrase to it.
Paul
Actually the DNS manipulation is not deleting a key; it's preventing it
from being found.
Revocation is "I, the signer of this revocation, declare that this key
is not worthy of trust".
(the difference between a CRL and a PGP-style revocation is who signs
the revocation - both have their place in the pantheon of web-of-trust
models.)
Deleting from the DNS is just making the key (and its signatures) harder
to find.