[OpenID] OpenID as a PKI facilitator

Dick Hardt dick at sxip.com
Sat Apr 7 01:17:45 UTC 2007


Hmmm ... that is not how I understood it worked from talking to Ben  
Laurie.

Ben: would seem pretty heavy if zone file was needed to store a key  
in a record. Is this true?

-- Dick

On 6-Apr-07, at 5:48 PM, Recordon, David wrote:

> I thought that as well, but verified that with one of the authors  
> of some of the DNSSEC RFCs before sending my note.
>
> --David
>
>
>  -----Original Message-----
> From:   Dick Hardt [mailto:dick at sxip.com]
> Sent:   Friday, April 06, 2007 05:42 PM Pacific Standard Time
> To:     Recordon, David
> Cc:     Nic James Ferrier; OpenID General
> Subject:        Re: [OpenID] OpenID as a PKI facilitator
>
> Agreed that DNSSEC would require access to DNS records.
>
> I would imagine that the user level key would be a DNS record rather
> then each user have a separate zone.
>
> -- Dick
>
> On 6-Apr-07, at 2:43 PM, Recordon, David wrote:
>
> > DNSSEC also requires access to the DNS records to change versus
> > hosting
> > a key via your existing application.  In addition, DNSSEC requires a
> > different zone file for each signing key, meaning the overhead of  
> DNS
> > server management also increase.  As used today, a wildcard DNS  
> entry
> > such as *.pip.verisignlabs.com would no longer be useful for each
> > user,
> > rather each user would have to have a separate entry with a  
> unique key
> > in a unique zone.  I thus think that while this may seem like a  
> great
> > solution, the deployment headaches would make it impractical.
> >
> > --David
> >
> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-
> > bounces at openid.net] On
> > Behalf Of Nic James Ferrier
> > Sent: Friday, April 06, 2007 1:43 PM
> > To: Dick Hardt
> > Cc: OpenID General
> > Subject: Re: [OpenID] OpenID as a PKI facilitator
> >
> > Dick Hardt <dick at sxip.com> writes:
> >
> >> DNSSEC is another potential way for a global PKI to be deployed.
> >
> > I love DNSSEC as a solution. It rocks.
> >
> > Trouble is, it's another of those solutions that's going to take a
> > long
> > time to get out there.
> >
> > When I talk to colleagues about DNSSEC they are mostly uninterested.
> >
> > Pity.
> >
> >
> > --
> > Nic Ferrier
> > http://www.tapsellferrier.co.uk
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> >
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070406/6b2a1d77/attachment-0002.htm>


More information about the general mailing list