Re: PGP security models, was Summary of IETF LC for draft-ietf-dane-open

Paul Wouters <paul(_at_)nohats(_dot_)ca> writes:

> On Wed, 23 Sep 2015, John R Levine wrote:
>
> > Sure, but once again you're no better off than if you got the key
> > anywhere else.  I understand the argument for better key servers and
> > maybe better ways to discover key servers (a URI record should do
> > it), but I don't understand the argument for a whole new mechanism
> > with new security, scaling, and semantic problems.
> Some people disagree with you and think DNSSEC is a viable PKI for their
> intended use. These people want to use DNSSEC. We can give those people
> an experimental RFC with OPENPGPKEY record, or we can force them to use
> an individual submitted draft with a TXT record stalled until expiry.
Or they can use the already specified CERT record, which GnuPG supports.
Yes, CERT has its own share of problems, that you have explained, but I
don't see that any of the issues you brought up with CERT (that I mostly
agree with, FWIW) has had bearing on its deployment success or not.

/Simon

signature.asc
Description: PGP signature