[29621] in North American Network Operators' Group
RE: PGP kerserver infrastructure
daemon@ATHENA.MIT.EDU (Randy Bush)
Fri Jun 30 09:41:41 2000
From: Randy Bush <randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: "Eric M. Carroll" <eric.carroll@acm.org>
Cc: nanog@merit.edu, pgp-keyserver-folk@flame.org
Message-Id: <E13810y-00009Y-00@rip.psg.com>
Date: Fri, 30 Jun 2000 06:39:28 -0700
Errors-To: owner-nanog-outgoing@merit.edu
> While I have limited experience in PGP infrastructure, I have spent a great
> deal of time with X.500 & X509 infrastructure (sympathy appreciated).
i watched that and see the parallel.
> The key service folk (PGP and anyone IETF-izing the X509 world, and the
> IPSEC folk for that matter) would be doing a Huge Service to Humanity if
> they simply *defined* the manner in which key servers will find each other
> using the DNS.
i am not convinced. the email address space you describe maps well to the
dns as it too is hierarchic (in fact is the identical hierarchy:-). the pgp
key space is not obviously hierarchic, but rather a non-directed and cyclic
graph. so using the dns, e.g. srv rrs, to find a keyserver is not a mapping
so obvious that i can see it.
unless you are suggesting that looking for the public key for randy@psg.com
should follow the dns hierarchy for psg.com. this forces all keys ids to be
domain name based, which is not a restriction in pgp. it also does not work
in obvious ways for reverse lookup, though i can envision a hack similar to
in-addr.arpa (yuck).
randy
