"John" == John Levine <johnl(_at_)taugh(_dot_)com> writes:
John> I've been trying to figure out what this draft provides that
John> the existing widely implemented PGP keyservers don't. So far,
John> it seems to be that in some cases it's easier to delete dead
John> keys, although that makes some significant assumptions about
John> how the provisioning systems work.
I also think you have higher trust in dnssec-validated keys than a key
that you get from a key server without a trust path to some key you
trust.
Key servers are a publicly writable database with no level of assurance
in the contents implied by an entry existing in the database.
dnssec can give you greater assurance if you trust the domain owner.
I think this is mostly a terrible idea, because it might lead to me
getting some significant quantity of pgp-encrypted email if successful,
and I can think of few worse things than having to deal with significant
quantities of encrypted mail:-)
However I agree with the authors that it would actually make it easier
to find pgp keys that you have some degree of trust in.