[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    dns&revocation, was Re: draft-...-delegation-signer-01
From:       Edward Lewis <lewis () tislabs ! com>
Date:       2001-08-23 1:13:36
[Download RAW message or body]

IMHO, DNS != PKI, and we shouldn't make it one.

There are many reasons why I feel this way.  Probably the most basic is the
observation that a lookup service, such as DNS, is so critical to the
operations of the distributed system surrounding it that we need to keep it
as simple as possible.  This should be done to limit the chance the service
will fail (principly by keeping the implementation software simple).

Note that what constitutes simplicity is poorly defined.  DNS as of RFC
1035 (and clarifications such as 2181) is much simpler than DNS + DNSSEC
and/or DNS + A6.  But the services added by DNSSEC and A6 are (argueably)
simple enough and important enough to stretch the mission a bit more.
Augmenting DNS to become a PKI is not so simple, take for example the PKIX
WG documents and try "porting" them to DNS.  (Some of the document titles
are longer than DNS drafts. :))

Note: I don't intend to make the claim that A6 is a must do for DNS -
especially not in this thread - but it is an example of a recent effort to
significantly augment DNS.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

[prev in list] [next in list] [prev in thread] [next in thread]