[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pgp-keyserver-folk
Subject:    Re: Keyserver contents [Re: db_errcall: ....]
From:       Redvers Davies <mass () madhouse ! org ! uk>
Date:       2000-02-13 13:54:38
[Download RAW message or body]

> Verification of signatures is done by key ID, not by email address.
> DNS doesn't have a mechanism for doing the right kind of delegation.
> In fact, nothing does.  For this to work, extra information would need
> to be present in the signature to know who was authoritative.

I must apologise, "authoratitve" was a poor choice of word - I did not mean
it to mean any more than a server which was known to hold information about
keys in that domain.  It will never be feasable for a keyserver to be able
to asertain any authority other than a key exists.

I completely take your point about keys that do not have any "identifying"
fields.  Not quite sure how you would deal with that in such a situation
apart from having an additional heirarchy for those which do not have
"EMail'esque" keys.

This does of course hold the problem as to what to do for those that want to
do a free search on say a name or just a keyID... hmmm.

Perhaps then another approach of having two types of servers on the network?
The first kind holding the freetext, keyid, signaturekeys and repositories
that hold the actual keys - the second kind being a repository which provided
the keys or keyrings to the requesting servers.

Then you can have a more efficient and scalable database front end which could
handle say tens or hundreds of millions of records - and have the actual keys
in more manageable chunks on multiple repository servers.

> It's definitely worth thinking about, but it's not an easy problem.

Indeed.

Red

[prev in list] [next in list] [prev in thread] [next in thread]