|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: PGP kerserver infrastructure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 3 Jul 2000, Dave Del Torto wrote: > >Unlike an X.500 directory, it is very difficult to segment PGP keys > >into directories. How would one do this? Using DNS? > > Right. DNSsec defines KEY and SIG records, so you could > theoretically have a key associated with every IP address. DNS is extremely ill-suited to serving as a key distribution method. This has been discussed multiple times, and the people who have actually worked on keyservers all generally agree that there must be better means for doing this. > >Which domain would one choose to use for cataloging the keys? (ex.: > >My key has multiple email addresses, including quickie.net and > >pgp.com. Which domain would it be under?) ... > > Both. Availability is a primary design criteria. How about keys like the PGP Employee Certification Key, which has no email address? What if quickie.net was an ISP that did not want to run a keyserver? Have you ever actually tried to use bind to serve keys? (I think not, or else you would not be suggesting it.) > >Multiple servers only exist for redundancy and performance benefits. > >... > > They also provide rapid access for local users. It's the same as when > I plug a new device onto my network and it's IP and FQDN get sucked > into the DNS, then someone can do a DNS "DIG" for the machine's > address based on some protocol need. > > Draw the analog in key management to DHCP, and build that. Again, trying to shoehorn PGP key serving into an existing technology might be a good thing, but only if that existing technology will be suitable. DNS is not. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5YU0nPYrxsgmsCmoRAu/TAKCfUtg4Mv+4tq39VAINQRyEtoHCrACg8EHt MvxJ5QSrjxHZazWZn6IsGmE= =q9eF -----END PGP SIGNATURE-----
|