[29664] in North American Network Operators' Group
RE: PGP kerserver infrastructure
daemon@ATHENA.MIT.EDU (L. Sassaman)
Mon Jul 3 22:36:28 2000
Date: Mon, 3 Jul 2000 19:34:05 -0700 (PDT)
From: "L. Sassaman" <rabbi@quickie.net>
To: Dave Del Torto <ddt@openpgp.net>
Cc: "Eric M. Carroll" <eric.carroll@acm.org>,
Randy Bush <randy@psg.com>, John Fraizer <nanog@EnterZone.Net>,
nanog@merit.edu, "Neil J. McRae" <neil@domino.org>
In-Reply-To: <p04320426b58607816575@[192.168.248.7]>
Message-ID: <Pine.LNX.4.21.QNWS_2.0007031930490.28152-100000@thetis.deor.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 3 Jul 2000, Dave Del Torto wrote:
> >Unlike an X.500 directory, it is very difficult to segment PGP keys
> >into directories. How would one do this? Using DNS?
>
> Right. DNSsec defines KEY and SIG records, so you could
> theoretically have a key associated with every IP address.
DNS is extremely ill-suited to serving as a key distribution method. This
has been discussed multiple times, and the people who have actually worked
on keyservers all generally agree that there must be better means for
doing this.
> >Which domain would one choose to use for cataloging the keys? (ex.:
> >My key has multiple email addresses, including quickie.net and
> >pgp.com. Which domain would it be under?) ...
>
> Both. Availability is a primary design criteria.
How about keys like the PGP Employee Certification Key, which has no email
address? What if quickie.net was an ISP that did not want to run a
keyserver? Have you ever actually tried to use bind to serve keys? (I
think not, or else you would not be suggesting it.)
> >Multiple servers only exist for redundancy and performance benefits.
> >...
>
> They also provide rapid access for local users. It's the same as when
> I plug a new device onto my network and it's IP and FQDN get sucked
> into the DNS, then someone can do a DNS "DIG" for the machine's
> address based on some protocol need.
>
> Draw the analog in key management to DHCP, and build that.
Again, trying to shoehorn PGP key serving into an existing technology
might be a good thing, but only if that existing technology will be
suitable. DNS is not.
__
L. Sassaman
System Administrator |
Technology Consultant | "Common sense is wrong."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE5YU0nPYrxsgmsCmoRAu/TAKCfUtg4Mv+4tq39VAINQRyEtoHCrACg8EHt
MvxJ5QSrjxHZazWZn6IsGmE=
=q9eF
-----END PGP SIGNATURE-----
