[OpenID] OpenID as a PKI facilitator
Recordon, David
drecordon at verisign.com
Fri Apr 6 21:43:19 UTC 2007
DNSSEC also requires access to the DNS records to change versus hosting
a key via your existing application. In addition, DNSSEC requires a
different zone file for each signing key, meaning the overhead of DNS
server management also increase. As used today, a wildcard DNS entry
such as *.pip.verisignlabs.com would no longer be useful for each user,
rather each user would have to have a separate entry with a unique key
in a unique zone. I thus think that while this may seem like a great
solution, the deployment headaches would make it impractical.
--David
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Nic James Ferrier
Sent: Friday, April 06, 2007 1:43 PM
To: Dick Hardt
Cc: OpenID General
Subject: Re: [OpenID] OpenID as a PKI facilitator
Dick Hardt <dick at sxip.com> writes:
> DNSSEC is another potential way for a global PKI to be deployed.
I love DNSSEC as a solution. It rocks.
Trouble is, it's another of those solutions that's going to take a long
time to get out there.
When I talk to colleagues about DNSSEC they are mostly uninterested.
Pity.
--
Nic Ferrier
http://www.tapsellferrier.co.uk
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list