[OpenID] OpenID as a PKI facilitator

Recordon, David drecordon at verisign.com
Sat Apr 7 00:48:46 UTC 2007


I thought that as well, but verified that with one of the authors of some of the DNSSEC RFCs before sending my note.

--David


 -----Original Message-----
From: 	Dick Hardt [mailto:dick at sxip.com]
Sent:	Friday, April 06, 2007 05:42 PM Pacific Standard Time
To:	Recordon, David
Cc:	Nic James Ferrier; OpenID General
Subject:	Re: [OpenID] OpenID as a PKI facilitator

Agreed that DNSSEC would require access to DNS records.

I would imagine that the user level key would be a DNS record rather  
then each user have a separate zone.

-- Dick

On 6-Apr-07, at 2:43 PM, Recordon, David wrote:

> DNSSEC also requires access to the DNS records to change versus  
> hosting
> a key via your existing application.  In addition, DNSSEC requires a
> different zone file for each signing key, meaning the overhead of DNS
> server management also increase.  As used today, a wildcard DNS entry
> such as *.pip.verisignlabs.com would no longer be useful for each  
> user,
> rather each user would have to have a separate entry with a unique key
> in a unique zone.  I thus think that while this may seem like a great
> solution, the deployment headaches would make it impractical.
>
> --David
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general- 
> bounces at openid.net] On
> Behalf Of Nic James Ferrier
> Sent: Friday, April 06, 2007 1:43 PM
> To: Dick Hardt
> Cc: OpenID General
> Subject: Re: [OpenID] OpenID as a PKI facilitator
>
> Dick Hardt <dick at sxip.com> writes:
>
>> DNSSEC is another potential way for a global PKI to be deployed.
>
> I love DNSSEC as a solution. It rocks.
>
> Trouble is, it's another of those solutions that's going to take a  
> long
> time to get out there.
>
> When I talk to colleagues about DNSSEC they are mostly uninterested.
>
> Pity.
>
>
> --
> Nic Ferrier
> http://www.tapsellferrier.co.uk
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070406/730bdf69/attachment-0002.htm>


More information about the general mailing list