[OpenID] OpenID as a PKI facilitator

Recordon, David drecordon at verisign.com
Fri Apr 6 21:43:19 UTC 2007


DNSSEC also requires access to the DNS records to change versus hosting
a key via your existing application.  In addition, DNSSEC requires a
different zone file for each signing key, meaning the overhead of DNS
server management also increase.  As used today, a wildcard DNS entry
such as *.pip.verisignlabs.com would no longer be useful for each user,
rather each user would have to have a separate entry with a unique key
in a unique zone.  I thus think that while this may seem like a great
solution, the deployment headaches would make it impractical.

--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Nic James Ferrier
Sent: Friday, April 06, 2007 1:43 PM
To: Dick Hardt
Cc: OpenID General
Subject: Re: [OpenID] OpenID as a PKI facilitator

Dick Hardt <dick at sxip.com> writes:

> DNSSEC is another potential way for a global PKI to be deployed.

I love DNSSEC as a solution. It rocks.

Trouble is, it's another of those solutions that's going to take a long
time to get out there.

When I talk to colleagues about DNSSEC they are mostly uninterested.

Pity.


--
Nic Ferrier
http://www.tapsellferrier.co.uk   
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general



More information about the general mailing list