[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use of DNS to distribute keys
Steve:
As pointed out earlier, the DNS UDP size limitation and the
largeish and growing size of modern certificates probably make
it unrealistic to support DNS-based certificate distribution,
at least with current implementations.
Perhaps throwing in email has been a complicating factor,
not only because of the MX driven store-and-forward stuff, but
because now we are authenticating people rather than net hosts.
It has been obvious for some time that the Internet canonical
"user@host.domain" paradigm for person-identification is
breaking down. This scheme made a great deal of sense when
there were a few dozen well-known large mainframes with many
users on each, but it gets strained when we move to personal
machines where the "host.domain" part identifies the owner as
well as the machine and if "user" is used at all it is used to
identify functional entities within that personal machine.
As a consequence we have "kluged" it by making the "host.domain"
part of email addresses specify an entire community of users
(like BBN.COM) and we use the MX mechanism to store-and-forward
the mail to the appropriate workstation or repository.
A byproduct of this is that we can deal nicely with workstations
being turned off at night and with people reading their mail
from more than one workstation. While this is a Good Thing
(and I use both these features myself) the fact remains that "user@host.domain"
might not be the best email addressing
paradigm for the current network environment.
We might need to generalize the identifier problem to the
idea of a Network Visible Entity (NVE) and then define new
protocols in order to extract things like email routing
information from them. If we do this, obtaining any needed
email certificates would more correctly be a function of
these new protocols than patching it into a database keyed
on host name like the DNS.
Unfortunately this is beginning to sound like X.500...
Follow-Ups: