RE: PGP kerserver infrastructure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 3 Jul 2000, Dave Del Torto wrote:
Unlike an X.500 directory, it is very difficult to segment PGP keys into directories. How would one do this? Using DNS?
Right. DNSsec defines KEY and SIG records, so you could theoretically have a key associated with every IP address.
DNS is extremely ill-suited to serving as a key distribution method. This has been discussed multiple times, and the people who have actually worked on keyservers all generally agree that there must be better means for doing this.
Which domain would one choose to use for cataloging the keys? (ex.: My key has multiple email addresses, including quickie.net and pgp.com. Which domain would it be under?) ...
Both. Availability is a primary design criteria.
How about keys like the PGP Employee Certification Key, which has no email address? What if quickie.net was an ISP that did not want to run a keyserver? Have you ever actually tried to use bind to serve keys? (I think not, or else you would not be suggesting it.)
Multiple servers only exist for redundancy and performance benefits. ...
They also provide rapid access for local users. It's the same as when I plug a new device onto my network and it's IP and FQDN get sucked into the DNS, then someone can do a DNS "DIG" for the machine's address based on some protocol need.
Draw the analog in key management to DHCP, and build that.
Again, trying to shoehorn PGP key serving into an existing technology might be a good thing, but only if that existing technology will be suitable. DNS is not. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5YU0nPYrxsgmsCmoRAu/TAKCfUtg4Mv+4tq39VAINQRyEtoHCrACg8EHt MvxJ5QSrjxHZazWZn6IsGmE= =q9eF -----END PGP SIGNATURE-----
participants (1)
-
L. Sassaman