North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: PGP kerserver infrastructure

  • From: L. Sassaman
  • Date: Tue Jun 27 16:57:17 2000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 27 Jun 2000, Roeland Meyer (E-mail) wrote:

> I get a real good chuckle out of this thread.<g>
> 1) Randy hisself is a promenent member of the IETF.
> 2) Having co-chaired a WG, I suspect that randy may even know how
> it's done.
> 3) I'd bet a small amount of change that Randy has already
> started the wheels in motion, even before he sent the first
> message.
> 4) I suspect that this thread exists to measure the level of
> interest among the major players.

Well, if this is truly the case, that is wonderful. I'd like to hear
Randy's thoughts on a Keyserver WG, however.
 
> Now for something on-topic;
> Yes, Internet PKI, in it's present state, sucks. Yes, there is a
> need, but the architecture definitely needs a look-see.
> Personally, I think it grossly inadequate and there ain't no way
> that it can be made as reliable as DNS, in it's present form.
> It's basically a poor-man's TLS with about half the fore-thought.
> Personally, I've been working with X.509 certs as an improvement
> over basic PGP, but again, the PKI sucks there as well.

Could you elaborate on these statements?
 
> But, as a previous poster already brought to surface, the users
> must have an interest in this service or NONE of the ISPs will be
> interested in deployment. The reason that existing PKI sucks is
> mainly a lack of serious user interest. There are NO
> production-level PKI servers out there today. None of them will
> commit to an SLA and there are too few customers that will pay
> the required bucks to support a decent SLA, for a PKI
> infrastructure. Build it and they will NOT come, yet.

Well, my opinion may be clouded, since i am on the Keyserver team at
NAI... but our PGP Keyserver is used by numerous companies in
production-level situations to manage large PGP-based PKIs. The problem as
I see it is not the software quality (Highware and Marc Horowitz's folks
have also done an excellent job on their servers) but in the hardware and
network resources allocated to the public keyserver network.

__

L. Sassaman

System Administrator                |  "Everything looks bad
Technology Consultant               |   if you remember it."
icq.. 10735603                      |  
pgp.. finger://ns.quickie.net/rabbi |        --Homer Simpson







-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE5WRP/PYrxsgmsCmoRArvvAKCjpTZLV3IuG5g81Q0gK2/9g6JtAwCeNwZv
2NXG40U0lRj8HpFbeNBk/U4=
=imkR
-----END PGP SIGNATURE-----